governance: Add I-Al-Istannen as integrator #4867
Conversation
|
That's an interesting point I did not consider. @MartinWitt and @SirYwell know me in the real world:tm: and I have spoken with @monperrus, so I am not really anonymous for the integrators. While it is already possible to connect my names, I am not completely sure I want to make it trivial and whether having my real name there makes much of a difference. On the other hand, I am not sure why I am so reluctant to merge the two: it's more of a gut feeling than actual reasoning. If you want to enforce it, my first name might be enough and if it is not, I will probably cope. |
slarse
force-pushed
the
add-istannen-to-integrators
branch
from
73a5a43 to
0c3c5fd
Compare
|
I'm somewhat conflicted. On one hand, knowing your full name changes nothing for me on a personal level. You could still be plotting a malicious injection of bad code, or be an as-of-yet uncaught axe wielding lunatic every so often, regardless of your real identity. On the other hand, one might see it as a matter of principle: users of Spoon have a right to know who the maintainers are, regardless of if that provides them with any information that's actually valuable. One could argue that tying your real identity to a project also makes you less likely to do any bad things, but as your identity is known to several people (and GitHub), that's kind of a moot point. If we were to vote on this, I would put a blank vote. I don't feel like I have a good answer. @monperrus @MartinWitt What do you think? |
|
That's a very important question. Spoon could be used to spy on and leak millions of source code lines. The trust people have in Spoon directly depends on the integrators. I feel that real-world identities contribute to build this trust. On this topic, there is the ongoing related conversation at governance: introduce a background check for Spoon integrators. A related reading is On the feasibility of stealthily introducing vulnerabilities in open-source software via hypocrite commits,” Proc. Oakland, 2021 |
I have no hard opinion on this topic, but losing @I-Al-Istannen as integrator seems unnecessary. How about a deal like we use his first name and first letter last name,
I'm unsure about this. If you don't trust your dependencies, does a real name which could be wrong change anything? If you really have trust problems but need the software, the only way to gain trust is to contact you or any integrator directly. We could enforce linked GPG if we want to improve the trust of users. |
slarse
force-pushed
the
add-istannen-to-integrators
branch
from
0c3c5fd to
845cf89
Compare
This is really the heart of the matter: The name would be only for outward appearances. As @I-Al-Istannen is a friend of @MartinWitt, we really have peak background check here. We can't do it better. So the question then is, are outward appearances so important that we'd reject an integrator that we sorely need, and that we have verified beyond any reasonable doubt is not malicious? We are severely lacking in integrating capacity right now. I myself have scant little time left over for Spoon nowadays. So little in fact that it might be questionable if I should still act in the capacity of an integrator. But that's a topic for another day. Again, providing a real name could be seen as an unbreakable matter of principle. I could understand that. I don't know of any larger open source projects with anonymous maintainers.
@MartinWitt Saw that I'd failed to sign my commit, hence force push. Hihu. |
|
Let's untangle our policies and the acceptance of @I-Al-Istannen. I propose we move the discussion about real-world identities to another issue, and we proceed with accepting @I-Al-Istannen pseudonymously. WDYT? |
CONTRIBUTING.md
Outdated
| @@ -27,6 +27,8 @@ Current integrators: | |||
| - GPG fingerprint: [074F73B36D8DD649B132BAC18035014A2B7BFA92](https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x074F73B36D8DD649B132BAC18035014A2B7BFA92) | |||
| - Martin Wittlinger [@MartinWitt](https://github.com/MartinWitt) | |||
| - Email: wittlinger.martin@gmail.com | |||
| - Hannes Greule [@SirYwell](https://github.com/SirYwell) | |||
| - Email: hannesgreule@outlook.de | |||
| - ?? [@I-Al-Istannen](https://github.com/I-Al-Istannen) | |||
| - Email: ?? | |||
There was a problem hiding this comment.
I could offer me@ialistannen.de :)
There was a problem hiding this comment.
I'll take you up on that offer :)
slarse
changed the title
slarse
changed the title
@monperrus I concur. PR updated, ready for review. |
|
Thanks, will merge. Open question: is it possible to configure the Github repo configuration as infrastructure-as-code? if yes, adding a new integrator would simply mean merging a PR. |
That should be possible, at work we use Terraform for stuff like that, although I'm not intimate with the details of how that's setup. See for example this article for how one could use Terraform Cloud to do something like what you propose. |
monperrus
changed the title
|
@I-Al-Istannen congratulations! That's well deserved! You clearly demonstrated your technical skills, care and dedication to Spoon. Thanks a lot 🙏️ |
|
Thank you! :) |
|
🎉 |
Related to #4233
@I-Al-Istannen Judging by your profile here on GitHub I get the feeling you may want to be anonymous. We haven't historically allowed integrators to be anonymous, so that'd require a discussion between current integrators.
If that's not the case and just happens to be the way you set up your account, then please fill in the blanks in this PR (with PR comments).