Haskell GitHub Trust is a GitHub organization for community ownership of Haskell packages.
The two essential features of the Haskell GitHub Trust are
- All Haskell Github Trust organization members are Owners, and have control over all repositories, including transferring in and out.
- A Hackage “Group Account” haskell_github_trust so that every Trust Owner can publish any package in the Trust.
This is a place to keep your Haskell packages for long-term community maintenance.
You will still retain ownership and control of your package, but if you ever stop maintaining your package then someone else can maintain it without needing your permission.
- Transfer GitHub ownership of the package repository to this organization, github.com/haskell-github-trust.
- Add the Hackage account haskell_github_trust as a Hackage Maintainer for the package.
That’s it. We accept all packages, in any condition, with zero commitment or obligation.
Request to become a Trust Owner on the Discussions page, or by asking any other Trust Owner. Trust Owners must be vouched for by one other Trust Owner. We keep a record of which Trust Owners were vouched for by whom.
After you accept the Trust Owner invitation, please set your visiblity to Public. This is a trust-based organization, so we want the ownership list to be Public for transparency.
If any Trust Owner
- Inserts malevolent code in a package
- Uses the haskell-github-trust for fraud
- Uses the haskell-github-trust CI to mine Bitcoin
- Transfers a package repository out of this org without permission of the maintainer
- Or any other similar bad-faith activity
then that person and the Trust Owner who vouched for them will be blamed and shamed.
Any Trust Owner may add another person who they trust to be a Trust Owner. Invite the other person to become an Owner of this GitHub organization, then add their name to the Trust Owner list and your own name as the Trust Owner who vouched for them. For transparency, every Trust Owner should be a Public Owner of the GitHub organization.
You need your own “uploader” account on Hackage. Use the haskell_github_trust account password to add your own “uploader” account to the list of package Maintainers. The haskell_github_trust account does not have upload permission, rather it is a “Group Account” as described on hackage.haskell.org/upload.
Occasionally organizations want to have a group / organizational account for a package that is maintained by a group of people. The recommended approach for these cases is to only do package uploads from individual accounts and use the group account only for managing the maintainer list for the package.
In this way you can upload any package in this org.
- Follow the instructions in Taking over a package with your own Hackage account. Declare your intent to add the package to the Haskell GitHub Trust.
- Add the Hackage account haskell_github_trust to the list of Hackage Maintainers.
- Transfer or fork or copy the package repository into this org.
Talk in the GitHub Discussions or in Haskell Discourse.
You can transfer your repos back to your own account and quit this organization any time you want.
If a package has an active maintainer, then any volunteer improvements should be submitted as Pull Requests.
If a package is being ignored, then any Trust Owner may make improvements and publish new versions. Use courtesy and judgement when deciding whether a package is being ignored.
The password for the haskell_github_trust Hackage account is in github.com/haskell-github-trust/secrets .
- https://github.com/haskell-pkg-janitors Haskell package maintenance organization. how to join this group?
- https://github.com/haskell-party/ Haskell package maintenance organization. Introducing Haskell Party proposal
- https://github.com/haskell-works Also has a “Group Account” haskellworks
- https://github.com/rowtype-yoga This PureScript “anarcho type-level collective” is the model for the Haskell GitHub Trust.
-
Q. If someone upgrades my repo and publishes a release to Hackage while I'm on vacation, should I get offended?
A. No. If they did something wrong then fix it and then publish another release.
-
Q. What should I do if I suspect a Trust Owner is acting in bad faith?
A. Talk about it in private messages with the other Trust Owners.
-
Q. What happens if one of the Trust Owners transfers all the repos to the Trust Owner’s private account?
A. We can fork the repositories back here and expel the Trust Owner.
-
Q. What happens if one of the Trust Owners inserts malicious code and publishes to Hackage?
A. Talk to the other Trust Owners and also the Hackage Trustees.
-
Q. What happens if a Trust Owner deletes this whole org?
A. We can rebuild this org from local clones of the repositories. We would lose the information in the GitHub Issues. Nothing else would be lost.