Tidelift - Software Supply Chain Security & Sustainability

[niccokunzmann]

I just completed the tasks to tidelift x-wr-timezone.
I also applied for icalendar to be tidelifted. They fund maintenance for open-source projects that companies depend on and thus secure the future of the project, security and quality while allowing these companies to have an interface that established trust and ease in the process.

These are the tasks that are still left to do for icalendar:

• Review release managers
  Here, we need to check that all people who are on PyPI and have access to release a new version
  • are still active for that purpose
  • have 2 factor authentication enabled
• Create a discoverable security policy & Create a security maintenance plan
  Here, we create a simple security.md file that allows Github to know which process we use to release security fixes - I can do that.

It seems that only 'maxm' does not have 2 factor authentication enabled. @mauritsvanrees - do you know who this is and could we ask maxm to enable 2fa?

@mauritsvanrees @stevepiercy @geier @jacadzaca, these are the current release managers:

• esteele
• geier
• jacadzaca
• maurits
• maxm - needs 2fa
• NiccoKunzmann
• plone
• regebro
• rnix
• thet
• timo
• untitaker
• wichert

Is there anyone that should be removed from the list or has left the project?

Thanks for your reply! I look forward to completing the tidelift tasks to make this project more professionally compatible with the current measures of core infrastructure libraries :)

See also:

• https://tidelift.com/lifter/search/pypi/icalendar

[stevepiercy]

The following individuals are active in Plone, and therefore also Collective.

• @esteele
• @thet
• @tisto
• @plone is an organization, but I don't know who has the keys to that username. @mauritsvanrees or @esteele may know.

The following individuals were very active a few years ago, but I'm not sure whether they still want or need Collective release manager permission.

• @regebro
• @wichert

I don't recognize the following individuals. Their GitHub username may differ from their PyPI username. I also don't know whether they want or need release manager permission in Collective.

• maxm - https://pypi.org/user/maxm/ - https://github.com/maxm
• rnix is probably @rnixx on GitHub
• untitaker is probably @untitaker on GitHub

For a security policy, see examples at:

• https://github.com/Pylons/.github/blob/main/SECURITY.md # I've seen this in action, and the maintainers have a very professional response.
• https://github.com/plone/.github/blob/main/SECURITY.md # @mauritsvanrees can speak Plone ones.
• https://github.com/plone/Products.CMFPlone/blob/master/.github/SECURITY.md

[regebro]

You can remove me.

[timo]

you probably meant someone else, I'm not the same timo as on pypi.org

[stevepiercy]

@timo thanks for responding. @tisto is the GitHub user. Sorry for the noise.

[niccokunzmann]

Thanks for all the responses!

I removed @wichert and @regebro.

I will give this another month to ask clearly:

Who wants/needs to stay a project owner of icalendar on PyPI?

If there is no response until 21 Jan 2025, I might remove you if I do not know you. You can be added again - no problem.

---

I would remove these users form the PyPI project: esteele, maxm, rnix, thet, timo, untitaker
I will leave these users in the PyPI project: jacadzaca, maurits, geier, niccokunzmann, plone

Please reply if you think this needs changing.

Before the operation, also check this:
https://community.plone.org/t/icalendar-pypi-cleanout-for-tidelifting/20304

[wichert]

Please feel free to remove me.

[tkimnguyen]

There are many owners of @plone

[tkimnguyen]

If a package is in the collective, we have been granting the collective user at least maintainer, and sometimes owner, role: https://pypi.org/user/collective/

[niccokunzmann]

Thanks! The pypi user "collective" is not part of that project. would it be good to add this one?

[thet]

The referenced maxm GitHub user is not the maxm who created icalendar. This is the one: https://www.linkedin.com/in/max-m-rasmussen-40a76314b/ - his slogan "IT's mad science!" rang a bell for me. maxm was quite active in the Python and also (I believe) Zope communities 20 years ago but then vanished.

Regarding release management rights - if it doesn't hurt for the security checks, keep me in please. I‌ have the feeling it's too early to fully retire from this project although I haven't contributed anything since a while.

[tisto]

The Plone release managers @mauritsvanrees, and @tisto (me) should be kept as well as the "collective" and "plone" users that the Plone release managers usually use to make releases. Thanks!