diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..9db51a7 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,23 @@ + + + + + + +Unconditionally, changes to `config.yaml` must +- [ ] be approved by 2 members of the OQS TSC +- [ ] not violate permissions documented in GOVERNANCE.md files for sub projects where such files exist + +The following goals apply to changes to the file `config.yaml` with exceptions possible, as long as the rationale for the exception is documented by comments in the file: +- [ ] all sub projects should be treated identically wrt roles & responsibilities as per the detailed list below +- [ ] teams/team designations are to be used wherever possible; using personal GH handles should only be used in team definitions +- [ ] Admin changes to the file must be documented by comments as to the rationale of the change + +All the following conditions hold for permissions set in `config.yaml`: +- sub project maintainers have admin rights on the sub projects +- OQS and sub project release managers have maintainer rights on the sub projects but can themselves set/reset branch protection rules limiting write access to sensitive branches +- sub project committers have write rights on all branches of the sub projects but can request branch protection rules limiting this +- sub project contributors (incl. code owners) have write rights on all branches except main on those sub projects +- OQS and sub project triage actors have triage rights on all branches of the sub projects +- OQS maintainers and LF admins have admin rights on the organization (e.g., org-wide secret management) as well as maintenance rights on the team configurations + diff --git a/CODEOWNERS b/CODEOWNERS index 6e40389..5d5bd44 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -config.yaml @ryjones @open-quantum-safe/tsc +config.yaml @open-quantum-safe/tsc diff --git a/config.yaml b/config.yaml index 600220d..41e5f59 100644 --- a/config.yaml +++ b/config.yaml @@ -1,281 +1,432 @@ teams: -- name: boringssl-maintainers +# org owners +- name: org-owners maintainers: - - dstebila - members: - - claucece - - pi-314159 + - ryjones + - thelinuxfoundation + +# admin access on all projects +- name: oqs-admins + maintainers: + - ryjones +# write access on all technical projects - name: bots maintainers: - oqs-bot -- name: core + +# write access on TSC to post meeting minutes +- name: minute-takers maintainers: - - baentsch - dstebila members: - SWilson4 - - bhess - - christianpaquin - - praveksharma +# access to Trail of Bits audit project board +- name: trail-of-bits + maintainers: + - SWilson4 + members: + - fcasal + - tob-scott-a + +# A sensible default for projects without a clear list of Maintainers. +# Consists of TSC members who are maintainers of at least one active OQS subproject. +# TODO: add/update per-project GOVERNANCE.md files and remove this team. +- name: oqs-maintainers + maintainers: + - dstebila + members: + - baentsch - vsoftco -- name: liboqs-committers +# A sensible default for projects without a clear list of Release Managers. +# TODO: add/update per-project GOVERNANCE.md files and remove this team. +- name: oqs-release-managers maintainers: - dstebila members: - - Martyrshot + - baentsch + - praveksharma - SWilson4 - - ashman-p + - vsoftco +# A sensible default for projects without a clear list of Committers. +# Mirrors the old "core" team. +# TODO: add/update per-project GOVERNANCE.md files and remove this team. +- name: oqs-committers + maintainers: + - dstebila + members: - baentsch - bhess - christianpaquin - - cothan - - jschanck - praveksharma - - thomwiggers + - SWilson4 - vsoftco -- name: liboqs-cupqc-maintainers +# A sensible default for projects without a clear list of Contributors. +# TODO: add/update per-project GOVERNANCE.md files and remove this team. +- name: oqs-contributors maintainers: - - praveksharma + - dstebila members: - - ydoroz - - stevenireeves - - neil-lindquist -- name: liboqs-maintainers + - ajbozarth + - ashman-p + - alexrow + - cothan + - crockeea + - feventura + - geedo0 + - iyanmv + - jimouris + - jplomas + - jschanck + - Martyrshot + - pi-314159 + - planetf1 + - thb-sb + - thomwiggers + +# Technical Steering Committee +# https://github.com/open-quantum-safe/tsc/blob/main/README.md#members +- name: tsc maintainers: - dstebila members: + - ashman-p - baentsch -- name: liboqs-cpp-admins - maintainers: + - bhess + - brian-jarvis-aws + - christianpaquin + - thb-sb - vsoftco -- name: liboqs-java-committers + +# liboqs Maintainers +# https://github.com/open-quantum-safe/liboqs/blob/main/GOVERNANCE.md#maintainers-1 +- name: liboqs-maintainers maintainers: - - ryjones + - dstebila members: - - jimouris -- name: liboqs-go-admins - maintainers: - - vsoftco -- name: liboqs-python-admins - maintainers: - - vsoftco -- name: libssh-admins + - baentsch +# liboqs Committers +# https://github.com/open-quantum-safe/liboqs/blob/main/GOVERNANCE.md#committers-1 +- name: liboqs-committers maintainers: - dstebila members: + - baentsch + - bhess - christianpaquin -- name: libssh-maintainers + - jschanck + - Martyrshot + - praveksharma + - SWilson4 + - vsoftco +# liboqs CODEOWNERS +# https://github.com/open-quantum-safe/liboqs/blob/main/.github/CODEOWNERS +- name: liboqs-codeowners maintainers: - dstebila -- name: minute-takers - maintainers: + members: + - alexrow + - baentsch + - bhess + - crockeea + - jschanck - SWilson4 -- name: openssh-committers + +# oqs-provider Maintainers +# https://github.com/open-quantum-safe/oqs-provider/blob/main/GOVERNANCE.md#maintainers-1 +- name: oqs-provider-maintainers maintainers: - - dstebila + - baentsch +# oqs-provider Committers +# https://github.com/open-quantum-safe/oqs-provider/blob/main/GOVERNANCE.md#committers-1 +- name: oqs-provider-committers + maintainers: + - baentsch members: - - geedo0 + - bhess + - christianpaquin + - thb-sb +# oqs-provider CODEOWNERS +# https://github.com/open-quantum-safe/oqs-provider/blob/main/.github/CODEOWNERS - name: oqs-provider-codeowners maintainers: - baentsch members: + - alexrow - bhess - feventura - iyanmv + - jplomas - thb-sb -- name: oqs-provider-committers + +# boringssl Maintainers +# TODO: provide "source of truth" +- name: boringssl-maintainers maintainers: - - thb-sb -- name: read + - pi-314159 + +# openssh Release Managers +# TODO: provide "source of truth" +- name: openssh-release-managers maintainers: - dstebila members: - - jplomas -- name: rust + - baentsch + - geedo0 + - praveksharma + +# liboqs-cpp Maintainers +# TODO: provide "source of truth" +- name: liboqs-cpp-maintainers maintainers: - - thomwiggers -- name: triage + - vsoftco +# liboqs-cpp Release Managers +# TODO: provide "source of truth" +- name: liboqs-cpp-release-managers maintainers: - - dstebila - members: - - planetf1 - - ajbozarth - - geedo0 -- name: trail-of-bits + - vsoftco + +# liboqs-go Maintainers +# TODO: provide "source of truth" +- name: liboqs-go-maintainers maintainers: - - SWilson4 - members: - - fcasal - - tob-scott-a -- name: tsc + - vsoftco +# liboqs-go Release Managers +# TODO: provide "source of truth" +- name: liboqs-go-release-managers + maintainers: + - vsoftco + +# liboqs-python Maintainers +# TODO: provide "source of truth" +- name: liboqs-python-maintainers + maintainers: + - vsoftco +# liboqs-python Release Managers +# TODO: provide "source of truth" +- name: liboqs-python-release-managers + maintainers: + - vsoftco + +# liboqs-java Maintainers +# TODO: provide "source of truth" +- name: liboqs-java-maintainers maintainers: - - baentsch - dstebila members: - - ashman-p - - bhess - - brian-jarvis-aws - - christianpaquin - - thb-sb - - vsoftco -- name: www + - jimouris + +# liboqs-rust Maintainers +# TODO: provide "source of truth" +- name: liboqs-rust-maintainers maintainers: - - crockeea + - thomwiggers +# liboqs-rust Release Managers +# TODO: provide "source of truth" +- name: liboqs-rust-release-managers + maintainers: + - thomwiggers + +# The following is a private project intentionally hidden from view. +# Contact praveksharma for details. +- name: liboqs-cupqc-maintainers + maintainers: + - praveksharma members: - - christianpaquin - - praveksharma - - SWilson4 - - vsoftco + - ydoroz + - stevenireeves + - neil-lindquist + repositories: - name: .github teams: - core: read + oqs-admins: admin + tsc: read + visibility: public + +- name: tsc + teams: + oqs-admins: admin tsc: write + minute-takers: write visibility: public -- name: boringssl - collaborators: - claucece: write - pi-314159: write + +- name: liboqs teams: - boringssl-maintainers: write + oqs-admins: admin + liboqs-maintainers: admin + oqs-release-managers: maintain + liboqs-committers: write + liboqs-codeowners: write + oqs-contributors: triage bots: write - core: write - triage: triage tsc: read visibility: public -- name: ci-containers + +- name: oqs-provider teams: - core: write - triage: triage + oqs-admins: admin + oqs-provider-maintainers: admin + oqs-release-managers: maintain + oqs-provider-committers: write + oqs-provider-codeowners: write + oqs-contributors: triage + bots: write tsc: read visibility: public -- name: liboqs + +- name: boringssl teams: + oqs-admins: admin + boringssl-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: triage bots: write - core: write - liboqs-committers: write - liboqs-maintainers: maintain - read: read - triage: triage tsc: read visibility: public -- name: liboqs-cpp + +- name: openssh teams: + oqs-admins: admin + oqs-maintainers: admin + openssh-release-managers: maintain + oqs-committers: write + oqs-contributors: triage bots: write - core: write - liboqs-cpp-admins: admin - triage: triage tsc: read visibility: public -- name: liboqs-cupqc - visibility: private - teams: - liboqs-cupqc-maintainers: maintain -- name: liboqs-dotnet + +- name: libssh teams: + oqs-admins: admin + oqs-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: triage bots: write - core: write - triage: triage tsc: read visibility: public -- name: liboqs-go + +- name: oqs-demos teams: + oqs-admins: admin + oqs-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: triage bots: write - core: maintain - liboqs-go-admins: admin - triage: triage tsc: read visibility: public -- name: liboqs-java - collaborators: - jimouris: write + +- name: profiling teams: + oqs-admins: admin + oqs-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: triage bots: write - core: maintain - liboqs-java-committers: write - triage: triage tsc: read visibility: public -- name: liboqs-python + +- name: ci-containers teams: + oqs-admins: admin + oqs-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: triage bots: write - core: write - liboqs-committers: write - liboqs-maintainers: maintain - liboqs-python-admins: admin - triage: triage tsc: read visibility: public -- name: liboqs-rust + +- name: liboqs-cpp teams: - core: write - liboqs-committers: write - liboqs-maintainers: maintain - rust: admin - triage: triage + oqs-admins: admin + liboqs-cpp-maintainers: admin + liboqs-cpp-release-managers: maintain + oqs-committers: write + oqs-contributors: triage + bots: write tsc: read visibility: public -- name: libssh + +- name: liboqs-go teams: - core: write - libssh-admins: admin - libssh-maintainers: maintain - triage: triage + oqs-admins: admin + liboqs-go-maintainers: admin + liboqs-go-release-managers: maintain + oqs-committers: write + oqs-contributors: triage + bots: write tsc: read visibility: public -- name: openssh + +- name: liboqs-python teams: + oqs-admins: admin + liboqs-python-maintainers: admin + liboqs-python-release-managers: maintain + oqs-committers: write + oqs-contributors: triage bots: write - core: write - openssh-committers: write - triage: triage tsc: read visibility: public -- name: openssl + +- name: liboqs-rust teams: + oqs-admins: admin + liboqs-rust-maintainers: admin + liboqs-rust-release-managers: maintain + oqs-committers: write + oqs-contributors: triage bots: write - core: write - triage: triage tsc: read visibility: public -- name: oqs-demos + +- name: liboqs-dotnet teams: + oqs-admins: admin + oqs-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: triage bots: write - core: write - triage: triage tsc: read visibility: public - collaborators: - pi-314159: write -- name: oqs-provider + +- name: liboqs-java teams: + oqs-admins: admin + liboqs-java-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: triage bots: write - core: write - liboqs-committers: write - liboqs-maintainers: maintain - oqs-provider-codeowners: admin - oqs-provider-committers: write - triage: triage tsc: read visibility: public -- name: profiling + +# No Release Managers team as there are no releases for this project. +- name: www teams: + oqs-admins: admin + oqs-maintainers: admin + oqs-committers: write + oqs-contributors: triage bots: write - core: maintain - triage: triage tsc: read visibility: public -- name: tsc + +# The following is a private project intentionally hidden from view. +# Contact praveksharma for details. +- name: liboqs-cupqc teams: - core: read - minute-takers: write - triage: triage - tsc: write - visibility: public -- name: www + liboqs-cupqc-maintainers: maintain + visibility: private + +# TODO: This project is dead and probably should be read-only. +- name: openssl teams: - core: write - triage: triage - tsc: write - www: write + oqs-admins: admin + tsc: read visibility: public