tools: change inactive limit to 12 months #52425
Conversation
|
I think 6 months is too short, but would be ok with 12 months |
@mhdawson Can you elaborate? I'd like to find the middle ground between 6 and 12 months. |
Just to put the total in a relative term too, that's ~17% of current collaborators. |
|
adding comment here as well as original discussion issue: @anonrig I can easily see people taking a break (for example to care for a new child etc.) who will come back getting removed by the 6 month check. A 12 month check makes this a lot less likely in my opinion. |
@mhdawson I understand but they can always be added back. There is no limiting factor for us to re-add a ex-collaborator as far as I know. I think we should ask ourselves how we feel about having a contributor with 11 months and 29 days inactivity blocking a highly important (or not) pull-request. In my honest opinion, I think 6 months is already a long duration to forget a large portion of a highly active project code, but it wouldn't be in our favor to lose half of our contributors in a single pull-request. |
@panva Thanks. I've added it to the pull-request description. |
|
I agree with @mhdawson. I do understand the security argument made in nodejs/TSC#1524.
Has this happened? I don't really see how the period of inactivity is relevant in these cases. Collaborators might still have valuable insights and might block based on design decisions that don' require an up-to-date understanding of "highly active project code", and in any case, I certainly don't expect every collaborator to keep up with changes to our code base. |
tniessen
added
the
meta
|
The security risk is related to the commit bit, right? So why not just get rid of the commit bit for everyone except a small subset, like the release team? I haven't used the commit bit in years; I rely on the |
|
I think the commit queue + GitHub bot still goes down/malfunctions frequent enough that we need a fallback when they stop working. It also doesn’t help that the automation isn’t actively maintained by anyone, and the CI is still too flaky (so whenever the automation fails you need to multiple the problem with a lot more CI runs). We should at least have a more stable group of volunteers that look after the automation before considering fully relying on it. |
I think in terms of decision making whether a contributor is an active collaborator or not does not make that much a difference. Even if a collaborator has already been inactive in the project for, say, 10 years, if they have strong opinions about a pull request then we should still consider their views and find a compromise. If a compromise cannot be made then we can still go with a TSC vote, and the inactive collaborator (or they don’t even need to be a past collaborator) can still present their perspectives to the TSC before we make an informed decision. |
|
Regarding who is using the commit bit, excluding release commits and onboarding commits: echo "$(
git log --since='1 year ago' --pretty=format:'%H$%aN$%cN$%s' | \
awk -F'$' '{ if($3 != "GitHub" && !match($4, /^202[0-9](-[0-9]{2}){2}, Version/) && !match($4, /^doc: add [^ ]+ (as a collaborator|to collaborators)$/)) {print $3} }'
)\n$(
gh pr list --state merged --limit 9999 --json mergedBy,mergeCommit,headRefOid --base main \
--search "merged:>$(date -v-1y -Idate)" \
--jq 'map(select(.headRefOid != .mergeCommit.oid)) | map(.mergedBy.name) | join("\n")'
)" | sort | uniq -cResults at the time of writingThat's 30 of 98 (non-bot) collaborators, so about a third. In my experience, the commit bit is useful when:
N.B.: This list might be quite inaccurate as it's relatively easy to impersonate someone with git because we don't enforce signatures. The only reliable way would be to ask GitHub support I think. It also doesn't show use of the GitHub UI/API, which I have used certainly more than 10 times in the previous year. |
That's one concern, and I do think there's value in being able to force-push to remove the most recent commit. Aside from that, the commit bit is not the only security concern. For example, being able to start Jenkins CI jobs might be sufficient for compromising some of our CI infrastructure. |
The script opens a PR editing the README. Once the PR has merged, it's the responsibility of TSC members to ensure the offboarding checklist has been completed. |
And the other two thirds are active, so by definition they’re landing commits, just via the bot? Could we just make the commit bit opt-in, then? Active collaborators who want it can get it, but those who prefer to use the bot can forgo the commit bit and remove one potential attack vector? |
anonrig
added
the
commit-queue-squash
ruyadorno
changed the title
|
Please amend the commit message, or it will say 6 months |
anonrig
force-pushed
the
update-inactive-collaborators
branch
from
dd5ce3d
to
4217324
Compare
Done @targos |
anonrig
added
the
author ready
|
CC @nodejs/tsc |
|
I'd assume this also needs a documentation update? (On mobile, otherwise I'd check myself.) |
anonrig
force-pushed
the
update-inactive-collaborators
branch
from
4217324
to
cec8474
Compare
You're right. Updated GOVERNANCE.md @tniessen |
|
Fast-track has been requested by @anonrig. Please 👍 to approve. |
|
This pull-request was discussed on TSC meeting today. That's why I'm requesting |
aduh95
added
commit-queue
|
The PR has been opened for more than 48 hours, fast tracking can't make it land any faster :) |
It's true, but I would consider it rude tu make significant changes to a PR and land it quickly (without notice) because it was already open before. |
That makes sense, but in this case, Yagiz has complied with all the proposed changes, it seems fair to me to assume if someone had a problem with the 12 months proposal, they would have had enough time to express that. |
nodejs-github-bot
removed
the
commit-queue
|
Landed in 423ad47 |
PR-URL: #52425 Reviewed-By: Ruy Adorno <ruy@vlt.sh> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Robert Nagy <ronagy@icloud.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
PR-URL: #52425 Reviewed-By: Ruy Adorno <ruy@vlt.sh> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Robert Nagy <ronagy@icloud.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
I'm proposing reducing the inactive collaborator contribution limit.
Referencing nodejs/TSC#1524, I recommend reducing the inactive collaborator duration to 12 months from 18 months.
cc @nodejs/tsc