From 5ba3472c59db464721f7c5c77be9c62965caceb9 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Tue, 10 Sep 2024 14:31:18 +0200 Subject: [PATCH 01/13] implementing #10 Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- .github/pull_request_template.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/pull_request_template.md diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..d73e185 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,23 @@ + + + + + From 4142084cf1700522b1a70bde54a0ea893b44516c Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Tue, 10 Sep 2024 14:38:38 +0200 Subject: [PATCH 02/13] change formatting Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- .github/pull_request_template.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index d73e185..7a91da9 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -2,17 +2,18 @@ - + +Unconditionally, changes to `config.yaml` must +- [ ] be approved by 2 members of the OQS TSC +- [ ] not violate permissions documented in GOVERNANCE.md files for sub projects where such files exist The following goals apply to changes to the file `config.yaml` with exceptions possible, as long as the rationale for the excption is documented by comments in the file: - [ ] all sub projects should be treated identically wrt roles & responsibilities as per the detailed list below - [ ] teams/team designations are to be used wherever possible; using personal GH handles should only be used in team definitions - [ ] Admin changes to the file must be documented by comments as to the rationale of the change -All the following conditions hold +All the following conditions hold for permissions set in `config.yaml`: - sub project maintainers have admin rights on the sub projects - OQS and sub project release managers have maintainer rights on the sub projects but can themselves set/reset branch protection rules limiting write access to sensitive branches - sub project committers have write rights on all branches of the sub projects but can request branch protection rules limiting this @@ -20,4 +21,3 @@ All the following conditions hold - OQS and sub project triage actors have triage rights on all branches of the sub projects - OQS maintainers and LF admins have admin rights on the organization (e.g., org-wide secret management) as well as maintenance rights on the team configurations ---> From f6b174feaf2e72b51c6e3bbc5c66bed125122c95 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Tue, 10 Sep 2024 14:40:35 +0200 Subject: [PATCH 03/13] add code owners Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 7a91da9..ebb98c2 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -17,7 +17,7 @@ All the following conditions hold for permissions set in `config.yaml`: - sub project maintainers have admin rights on the sub projects - OQS and sub project release managers have maintainer rights on the sub projects but can themselves set/reset branch protection rules limiting write access to sensitive branches - sub project committers have write rights on all branches of the sub projects but can request branch protection rules limiting this -- sub project contributors have write rights on all branches except main on those sub projects +- sub project contributors (incl. code owners) have write rights on all branches except main on those sub projects - OQS and sub project triage actors have triage rights on all branches of the sub projects - OQS maintainers and LF admins have admin rights on the organization (e.g., org-wide secret management) as well as maintenance rights on the team configurations From c541b25fbbadce8adf4d98f89fc803b9a24d953b Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Tue, 10 Sep 2024 19:31:48 +0200 Subject: [PATCH 04/13] Update .github/pull_request_template.md Co-authored-by: Spencer Wilson Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index ebb98c2..9db51a7 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -8,7 +8,7 @@ Unconditionally, changes to `config.yaml` must - [ ] be approved by 2 members of the OQS TSC - [ ] not violate permissions documented in GOVERNANCE.md files for sub projects where such files exist -The following goals apply to changes to the file `config.yaml` with exceptions possible, as long as the rationale for the excption is documented by comments in the file: +The following goals apply to changes to the file `config.yaml` with exceptions possible, as long as the rationale for the exception is documented by comments in the file: - [ ] all sub projects should be treated identically wrt roles & responsibilities as per the detailed list below - [ ] teams/team designations are to be used wherever possible; using personal GH handles should only be used in team definitions - [ ] Admin changes to the file must be documented by comments as to the rationale of the change From 9c19405cbc50bbdc1f4dd8ae21196684d82e3813 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Thu, 19 Sep 2024 15:23:58 +0200 Subject: [PATCH 05/13] first try to implement community rules Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- config.yaml | 156 ++++++++++++++++++++++++++++++++++------------------ 1 file changed, 101 insertions(+), 55 deletions(-) diff --git a/config.yaml b/config.yaml index 600220d..f881ec7 100644 --- a/config.yaml +++ b/config.yaml @@ -1,31 +1,40 @@ teams: -- name: boringssl-maintainers +- name: oqs-maintainers maintainers: - dstebila + - baentsch +- name: oqs-admins + maintainers: + - tsc + members: + - ryjones +- name: boringssl-maintainers + maintainers: + - oqs-maintainers members: - - claucece - pi-314159 - name: bots maintainers: - oqs-bot - name: core maintainers: - - baentsch - - dstebila + - oqs-maintainers members: - SWilson4 - bhess - christianpaquin - praveksharma - vsoftco +- name: liboqs-maintainers + maintainers: + - oqs-maintainers - name: liboqs-committers maintainers: - - dstebila + - liboqs-maintainers members: - Martyrshot - SWilson4 - ashman-p - - baentsch - bhess - christianpaquin - cothan @@ -33,6 +42,8 @@ teams: - praveksharma - thomwiggers - vsoftco +# The following is a completely private project intentionally hidden from view +# Contact praveksharma for details - name: liboqs-cupqc-maintainers maintainers: - praveksharma @@ -40,67 +51,85 @@ teams: - ydoroz - stevenireeves - neil-lindquist -- name: liboqs-maintainers +- name: liboqs-language-wrapper-maintainers maintainers: - - dstebila - members: - - baentsch -- name: liboqs-cpp-admins + - vsoftco + - oqs-maintainers +- name: liboqs-cpp-maintainers maintainers: - - vsoftco + - liboqs-language-wrapper-maintainers +- name: liboqs-java-maintainers + maintainers: + - oqs-maintainers - name: liboqs-java-committers maintainers: - - ryjones + - liboqs-java-maintainers members: - jimouris -- name: liboqs-go-admins +- name: liboqs-go-maintainers maintainers: - - vsoftco -- name: liboqs-python-admins + - liboqs-language-wrapper-maintainers +- name: liboqs-python-maintainers maintainers: - - vsoftco -- name: libssh-admins + - liboqs-language-wrapper-maintainers +- name: libssh-maintainers maintainers: - - dstebila + - oqs-maintainers members: - christianpaquin -- name: libssh-maintainers - maintainers: - - dstebila - name: minute-takers maintainers: - SWilson4 +- name: openssh-maintainers + maintainers: + - oqs-maintainers - name: openssh-committers maintainers: - - dstebila + - openssh-maintainers members: - geedo0 -- name: oqs-provider-codeowners +- name: oqsprovider-maintainers maintainers: + - oqs-maintainers +# explicit exclusion of dstebila to align with GOVERNANCE.md + members: - baentsch +- name: oqsprovider-codeowners + maintainers: + - oqsprovider-maintainers members: - bhess - feventura - iyanmv - thb-sb -- name: oqs-provider-committers +- name: oqsprovider-committers maintainers: - - thb-sb + - oqsprovider-maintainers + members: + - oqsprovider-codeowners - name: read maintainers: - - dstebila + - oqs-maintainers members: - jplomas - name: rust maintainers: + - oqs-maintainers + members: - thomwiggers - name: triage maintainers: - - dstebila + - oqs-maintainers members: - planetf1 - ajbozarth - geedo0 +- name: oqs-demos-contributors + maintainers: + - oqs-maintainers + members: + - pi-314159 +# Is this still needed? TBD - name: trail-of-bits maintainers: - SWilson4 @@ -109,8 +138,7 @@ teams: - tob-scott-a - name: tsc maintainers: - - baentsch - - dstebila + - oqs-maintainers members: - ashman-p - bhess @@ -120,8 +148,9 @@ teams: - vsoftco - name: www maintainers: - - crockeea + - oqs-maintainers members: + - crockeea - christianpaquin - praveksharma - SWilson4 @@ -131,30 +160,32 @@ repositories: teams: core: read tsc: write + oqs-maintainers: admin + oqs-admins: admin visibility: public - name: boringssl - collaborators: - claucece: write - pi-314159: write teams: - boringssl-maintainers: write + boringssl-maintainers: admin bots: write core: write triage: triage tsc: read + oqs-admins: admin visibility: public - name: ci-containers teams: - core: write + core: maintain triage: triage tsc: read + oqs-admins: admin visibility: public - name: liboqs teams: bots: write core: write - liboqs-committers: write - liboqs-maintainers: maintain + liboqs-committers: maintain + liboqs-maintainers: admin + oqs-admins: admin read: read triage: triage tsc: read @@ -163,36 +194,40 @@ repositories: teams: bots: write core: write - liboqs-cpp-admins: admin + liboqs-cpp-maintainers: admin + oqs-admins: admin triage: triage tsc: read visibility: public - name: liboqs-cupqc visibility: private teams: - liboqs-cupqc-maintainers: maintain + liboqs-cupqc-maintainers: admin +# No team/project maintainers for this project??? TBD - name: liboqs-dotnet teams: bots: write core: write triage: triage + oqs-admins: admin tsc: read visibility: public - name: liboqs-go teams: bots: write core: maintain - liboqs-go-admins: admin + liboqs-go-maintainers: admin + oqs-admins: admin triage: triage tsc: read visibility: public - name: liboqs-java - collaborators: - jimouris: write teams: bots: write core: maintain - liboqs-java-committers: write + liboqs-java-committers: maintain + liboqs-java-maintainers: admin + oqs-admins: admin triage: triage tsc: read visibility: public @@ -200,15 +235,16 @@ repositories: teams: bots: write core: write - liboqs-committers: write - liboqs-maintainers: maintain - liboqs-python-admins: admin + liboqs-python-committers: maintain + liboqs-python-maintainers: admin + oqs-admins: admin triage: triage tsc: read visibility: public - name: liboqs-rust teams: core: write +# This does not make any sense: these teams have no clue about this sub project TBD liboqs-committers: write liboqs-maintainers: maintain rust: admin @@ -218,8 +254,8 @@ repositories: - name: libssh teams: core: write - libssh-admins: admin - libssh-maintainers: maintain + libssh-maintainers: admin + oqs-admins: admin triage: triage tsc: read visibility: public @@ -227,10 +263,13 @@ repositories: teams: bots: write core: write - openssh-committers: write + openssh-maintainers: admin + openssh-committers: maintain + oqs-admins: admin triage: triage tsc: read visibility: public +# Is this right given the project is dead? TBD - name: openssl teams: bots: write @@ -240,26 +279,29 @@ repositories: visibility: public - name: oqs-demos teams: + oqs-admins: admin + oqs-maintainers: admin + oqs-demos-contributors: maintain bots: write core: write triage: triage tsc: read visibility: public - collaborators: - pi-314159: write -- name: oqs-provider +- name: oqsprovider teams: bots: write core: write liboqs-committers: write liboqs-maintainers: maintain - oqs-provider-codeowners: admin - oqs-provider-committers: write + oqsprovider-codeowners: admin + oqsprovider-committers: write triage: triage tsc: read visibility: public - name: profiling teams: + oqs-maintainers: admin + oqs-admins: admin bots: write core: maintain triage: triage @@ -267,6 +309,8 @@ repositories: visibility: public - name: tsc teams: + oqs-maintainers: admin + oqs-admins: admin core: read minute-takers: write triage: triage @@ -274,6 +318,8 @@ repositories: visibility: public - name: www teams: + oqs-maintainers: admin + oqs-admins: admin core: write triage: triage tsc: write From c0077aea60382a53fa126b4571ff4e75ea329e61 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Thu, 19 Sep 2024 15:33:33 +0200 Subject: [PATCH 06/13] removing admin approval need as per TSC agreement Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- CODEOWNERS | 2 +- config.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 6e40389..5d5bd44 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -config.yaml @ryjones @open-quantum-safe/tsc +config.yaml @open-quantum-safe/tsc diff --git a/config.yaml b/config.yaml index f881ec7..71ad47f 100644 --- a/config.yaml +++ b/config.yaml @@ -6,6 +6,7 @@ teams: - name: oqs-admins maintainers: - tsc +# Key person risk: TBI members: - ryjones - name: boringssl-maintainers From c6cf7545a3fb56de17b26e33e2710bb22f60b5ab Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Thu, 19 Sep 2024 15:37:53 +0200 Subject: [PATCH 07/13] one more fix to let CI check what's still wrong.... Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com> --- config.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/config.yaml b/config.yaml index 71ad47f..9f9e35f 100644 --- a/config.yaml +++ b/config.yaml @@ -55,6 +55,7 @@ teams: - name: liboqs-language-wrapper-maintainers maintainers: - vsoftco +# added to eliminate key person risk: - oqs-maintainers - name: liboqs-cpp-maintainers maintainers: @@ -73,6 +74,12 @@ teams: - name: liboqs-python-maintainers maintainers: - liboqs-language-wrapper-maintainers +- name: liboqs-python-committers + maintainers: + - liboqs-python-maintainers + members: +# Does this make sense to take support pressures off our sole language wrapper maintainer/committer? TBC + - core - name: libssh-maintainers maintainers: - oqs-maintainers From 3941292c40db7eaccd7bc11471e947001b69da62 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 24 Sep 2024 13:36:33 -0400 Subject: [PATCH 08/13] Rewrite config file, adding sources of truth where applicable Signed-off-by: Spencer Wilson --- config.yaml | 496 +++++++++++++++++++++++++++++++--------------------- 1 file changed, 292 insertions(+), 204 deletions(-) diff --git a/config.yaml b/config.yaml index 9f9e35f..110e77a 100644 --- a/config.yaml +++ b/config.yaml @@ -1,335 +1,423 @@ teams: -- name: oqs-maintainers +# admin access on all projects +- name: oqs-admins + maintainers: + - ryjones +# write access on all technical projects +- name: oqs-bots + maintainers: + - oqs-bot + +# write access on TSC to post meeting minutes +- name: minute-takers maintainers: - dstebila - - baentsch -- name: oqs-admins + members: + - SWilson4 +# access to Trail of Bits audit project board +- name: trail-of-bits maintainers: - - tsc -# Key person risk: TBI + - SWilson4 members: - - ryjones -- name: boringssl-maintainers + - fcasal + - tob-scott-a +# triage access across technical projects +- name: triage maintainers: - - oqs-maintainers + - dstebila members: - - pi-314159 -- name: bots + - ajbozarth + - planetf1 + +# A sensible default for projects without a clear list of Maintainers. +# Consists of TSC members who are maintainers of at least one active OQS subproject. +# TODO: add/update per-project GOVERNANCE.md files and remove this team. +- name: oqs-maintainers maintainers: - - oqs-bot -- name: core + - dstebila + members: + - baentsch + - vsoftco +# A sensible default for projects without a clear list of Release Managers. +# TODO: add/update per-project GOVERNANCE.md files and remove this team. +- name: oqs-release-managers maintainers: - - oqs-maintainers + - dstebila members: + - baentsch + - dstebila + - praveksharma - SWilson4 + - vsoftco +# A sensible default for projects without a clear list of Committers. +# Mirrors the old "core" team. +# TODO: add/update per-project GOVERNANCE.md files and remove this team. +- name: oqs-committers + maintainers: + - dstebila + members: + - baentsch - bhess - christianpaquin - praveksharma + - SWilson4 - vsoftco -- name: liboqs-maintainers - maintainers: - - oqs-maintainers -- name: liboqs-committers +# A sensible default for projects without a clear list of Contributors. +# Developers who have contributed substantial code to at least one OQS subproject. +# This includes all people who are listed in a CODEOWNERS file in an OQS subproject. +# TODO: add/update per-project GOVERNANCE.md files and remove this team. +- name: oqs-contributors maintainers: - - liboqs-maintainers + - dstebila members: - - Martyrshot - - SWilson4 - ashman-p - - bhess - - christianpaquin + - alexrow - cothan + - crockeea + - feventura + - geedo0 + - iyanmv + - jimouris + - jplomas - jschanck - - praveksharma + - Martyrshot + - pi-314159 + - thb-sb - thomwiggers - - vsoftco -# The following is a completely private project intentionally hidden from view -# Contact praveksharma for details -- name: liboqs-cupqc-maintainers - maintainers: - - praveksharma - members: - - ydoroz - - stevenireeves - - neil-lindquist -- name: liboqs-language-wrapper-maintainers - maintainers: - - vsoftco -# added to eliminate key person risk: - - oqs-maintainers -- name: liboqs-cpp-maintainers - maintainers: - - liboqs-language-wrapper-maintainers -- name: liboqs-java-maintainers - maintainers: - - oqs-maintainers -- name: liboqs-java-committers + +# Technical Steering Committee +# https://github.com/open-quantum-safe/tsc/blob/main/README.md#members +- name: tsc maintainers: - - liboqs-java-maintainers + - dstebila members: - - jimouris -- name: liboqs-go-maintainers - maintainers: - - liboqs-language-wrapper-maintainers -- name: liboqs-python-maintainers - maintainers: - - liboqs-language-wrapper-maintainers -- name: liboqs-python-committers + - ashman-p + - baentsch + - bhess + - brian-jarvis-aws + - christianpaquin + - thb-sb + - vsoftco + +# liboqs Maintainers +# https://github.com/open-quantum-safe/liboqs/blob/main/GOVERNANCE.md#maintainers-1 +- name: liboqs-maintainers maintainers: - - liboqs-python-maintainers + - dstebila members: -# Does this make sense to take support pressures off our sole language wrapper maintainer/committer? TBC - - core -- name: libssh-maintainers + - baentsch +# liboqs Committers +# https://github.com/open-quantum-safe/liboqs/blob/main/GOVERNANCE.md#committers-1 +- name: liboqs-committers maintainers: - - oqs-maintainers + - dstebila members: + - baentsch + - bhess - christianpaquin -- name: minute-takers - maintainers: + - jschanck + - Martyrshot + - praveksharma - SWilson4 -- name: openssh-maintainers - maintainers: - - oqs-maintainers -- name: openssh-committers - maintainers: - - openssh-maintainers - members: - - geedo0 -- name: oqsprovider-maintainers + - vsoftco + +# oqs-provider Maintainers +# https://github.com/open-quantum-safe/oqs-provider/blob/main/GOVERNANCE.md#maintainers-1 +- name: oqs-provider-maintainers maintainers: - - oqs-maintainers -# explicit exclusion of dstebila to align with GOVERNANCE.md - members: - baentsch -- name: oqsprovider-codeowners +# oqs-provider Committers +# https://github.com/open-quantum-safe/oqs-provider/blob/main/GOVERNANCE.md#committers-1 +- name: oqs-provider-committers maintainers: - - oqsprovider-maintainers + - baentsch members: - bhess - - feventura - - iyanmv + - christianpaquin - thb-sb -- name: oqsprovider-committers + +# boringssl Maintainers +# TODO: provide "source of truth" +- name: boringssl-maintainers maintainers: - - oqsprovider-maintainers - members: - - oqsprovider-codeowners -- name: read + - pi-314159 + +# openssh Release Managers +# TODO: provide "source of truth" +- name: openssh-release-managers maintainers: - - oqs-maintainers + - dstebila members: - - jplomas -- name: rust + - baentsch + - geedo0 + - praveksharma + +# liboqs-cpp Maintainers +# TODO: provide "source of truth" +- name: liboqs-cpp-maintainers maintainers: - - oqs-maintainers - members: - - thomwiggers -- name: triage + - vsoftco +# liboqs-cpp Release Managers +# TODO: provide "source of truth" +- name: liboqs-cpp-release-managers maintainers: - - oqs-maintainers - members: - - planetf1 - - ajbozarth - - geedo0 -- name: oqs-demos-contributors + - vsoftco + +# liboqs-go Maintainers +# TODO: provide "source of truth" +- name: liboqs-go-maintainers maintainers: - - oqs-maintainers - members: - - pi-314159 -# Is this still needed? TBD -- name: trail-of-bits + - vsoftco +# liboqs-go Release Managers +# TODO: provide "source of truth" +- name: liboqs-go-release-managers maintainers: - - SWilson4 - members: - - fcasal - - tob-scott-a -- name: tsc + - vsoftco + +# liboqs-python Maintainers +# TODO: provide "source of truth" +- name: liboqs-python-maintainers maintainers: - - oqs-maintainers - members: - - ashman-p - - bhess - - brian-jarvis-aws - - christianpaquin - - thb-sb - vsoftco -- name: www +# liboqs-python Release Managers +# TODO: provide "source of truth" +- name: liboqs-python-release-managers maintainers: - - oqs-maintainers - members: - - crockeea - - christianpaquin - - praveksharma - - SWilson4 - vsoftco + +# liboqs-java Maintainers +# TODO: provide "source of truth" +- name: liboqs-java-maintainers + maintainers: + - dstebila + members: + - jimouris + +# liboqs-rust Maintainers +# TODO: provide "source of truth" +- name: liboqs-rust-maintainers + maintainers: + - thomwiggers +# liboqs-rust Release Managers +# TODO: provide "source of truth" +- name: liboqs-rust-release-managers + maintainers: + - thomwiggers + +# The following is a private project intentionally hidden from view. +# Contact praveksharma for details. +- name: liboqs-cupqc-maintainers + maintainers: + - praveksharma + members: + - ydoroz + - stevenireeves + - neil-lindquist + repositories: - name: .github teams: - core: read - tsc: write - oqs-maintainers: admin oqs-admins: admin - visibility: public -- name: boringssl - teams: - boringssl-maintainers: admin - bots: write - core: write - triage: triage tsc: read - oqs-admins: admin visibility: public -- name: ci-containers + +- name: tsc teams: - core: maintain - triage: triage - tsc: read oqs-admins: admin + tsc: write + minute-takers: write visibility: public + - name: liboqs teams: - bots: write - core: write - liboqs-committers: maintain - liboqs-maintainers: admin oqs-admins: admin - read: read + liboqs-maintainers: admin + oqs-release-managers: maintain + liboqs-committers: write + oqs-contributors: write + bots: write triage: triage tsc: read visibility: public -- name: liboqs-cpp + +- name: oqs-provider teams: - bots: write - core: write - liboqs-cpp-maintainers: admin oqs-admins: admin + oqs-provider-maintainers: admin + oqs-release-managers: maintain + oqs-provider-committers: maintain + oqs-contributors: write + bots: write triage: triage tsc: read visibility: public -- name: liboqs-cupqc - visibility: private - teams: - liboqs-cupqc-maintainers: admin -# No team/project maintainers for this project??? TBD -- name: liboqs-dotnet + +- name: boringssl teams: + oqs-admins: admin + boringssl-maintainers: admin + boringssl-release-managers: maintain + oqs-committers: write + oqs-contributors: write bots: write - core: write triage: triage - oqs-admins: admin tsc: read visibility: public -- name: liboqs-go + +- name: openssh teams: - bots: write - core: maintain - liboqs-go-maintainers: admin oqs-admins: admin + oqs-maintainers: admin + openssh-release-managers: maintain + oqs-committers: write + oqs-contributors: write + bots: write triage: triage tsc: read visibility: public -- name: liboqs-java + +- name: libssh teams: - bots: write - core: maintain - liboqs-java-committers: maintain - liboqs-java-maintainers: admin oqs-admins: admin + oqs-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: write + bots: write triage: triage tsc: read visibility: public -- name: liboqs-python + +- name: oqs-demos teams: - bots: write - core: write - liboqs-python-committers: maintain - liboqs-python-maintainers: admin oqs-admins: admin + oqs-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: write + bots: write triage: triage tsc: read visibility: public -- name: liboqs-rust + +- name: profiling teams: - core: write -# This does not make any sense: these teams have no clue about this sub project TBD - liboqs-committers: write - liboqs-maintainers: maintain - rust: admin + oqs-admins: admin + oqs-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: write + bots: write triage: triage tsc: read visibility: public -- name: libssh + +- name: ci-containers teams: - core: write - libssh-maintainers: admin oqs-admins: admin + oqs-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: write + bots: write triage: triage tsc: read visibility: public -- name: openssh + +- name: liboqs-cpp teams: - bots: write - core: write - openssh-maintainers: admin - openssh-committers: maintain oqs-admins: admin + liboqs-cpp-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: write + bots: write triage: triage tsc: read visibility: public -# Is this right given the project is dead? TBD -- name: openssl + +- name: liboqs-go teams: + oqs-admins: admin + liboqs-go-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: write bots: write - core: write triage: triage tsc: read visibility: public -- name: oqs-demos + +- name: liboqs-python teams: oqs-admins: admin - oqs-maintainers: admin - oqs-demos-contributors: maintain + liboqs-python-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: write bots: write - core: write triage: triage tsc: read visibility: public -- name: oqsprovider + +- name: liboqs-rust teams: + oqs-admins: admin + liboqs-rust-maintainers: admin + liboqs-rust-release-managers: maintain + oqs-committers: write + oqs-contributors: write bots: write - core: write - liboqs-committers: write - liboqs-maintainers: maintain - oqsprovider-codeowners: admin - oqsprovider-committers: write triage: triage tsc: read visibility: public -- name: profiling + +- name: liboqs-dotnet teams: - oqs-maintainers: admin oqs-admins: admin + oqs-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: write bots: write - core: maintain triage: triage tsc: read visibility: public -- name: tsc + +- name: liboqs-java teams: - oqs-maintainers: admin oqs-admins: admin - core: read - minute-takers: write + liboqs-java-maintainers: admin + oqs-release-managers: maintain + oqs-committers: write + oqs-contributors: write + bots: write triage: triage - tsc: write + tsc: read visibility: public + +# No Release Managers team as there are no releases for this project. - name: www teams: - oqs-maintainers: admin oqs-admins: admin - core: write + oqs-maintainers: admin + oqs-committers: write + oqs-contributors: write + bots: write triage: triage - tsc: write - www: write + tsc: read + visibility: public + +# The following is a private project intentionally hidden from view. +# Contact praveksharma for details. +- name: liboqs-cupqc + teams: + liboqs-cupqc-maintainers: maintain + visibility: private + +# TODO: This project is dead and probably should be read-only. +- name: openssl + teams: + oqs-admins: admin + tsc: read visibility: public From 23398e4c51336e40b030c839f08a1912e23b68e4 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 24 Sep 2024 13:38:40 -0400 Subject: [PATCH 09/13] Fix config error Signed-off-by: Spencer Wilson --- config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/config.yaml b/config.yaml index 110e77a..7a58c43 100644 --- a/config.yaml +++ b/config.yaml @@ -45,7 +45,6 @@ teams: - dstebila members: - baentsch - - dstebila - praveksharma - SWilson4 - vsoftco From e4e0da29773b94d9c01344754594d7d0660a6b27 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 24 Sep 2024 13:40:35 -0400 Subject: [PATCH 10/13] Fix further config errors Signed-off-by: Spencer Wilson --- config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config.yaml b/config.yaml index 7a58c43..c0a5b65 100644 --- a/config.yaml +++ b/config.yaml @@ -4,7 +4,7 @@ teams: maintainers: - ryjones # write access on all technical projects -- name: oqs-bots +- name: bots maintainers: - oqs-bot @@ -255,7 +255,7 @@ repositories: teams: oqs-admins: admin boringssl-maintainers: admin - boringssl-release-managers: maintain + oqs-release-managers: maintain oqs-committers: write oqs-contributors: write bots: write From b5ced25cbf890511d82b169650b49af3450ceb75 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Tue, 24 Sep 2024 14:31:56 -0400 Subject: [PATCH 11/13] Use release managers teams for language wrappers Signed-off-by: Spencer Wilson --- config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config.yaml b/config.yaml index c0a5b65..03ecb5c 100644 --- a/config.yaml +++ b/config.yaml @@ -327,7 +327,7 @@ repositories: teams: oqs-admins: admin liboqs-cpp-maintainers: admin - oqs-release-managers: maintain + liboqs-cpp-release-managers: maintain oqs-committers: write oqs-contributors: write bots: write @@ -339,7 +339,7 @@ repositories: teams: oqs-admins: admin liboqs-go-maintainers: admin - oqs-release-managers: maintain + liboqs-go-release-managers: maintain oqs-committers: write oqs-contributors: write bots: write @@ -351,7 +351,7 @@ repositories: teams: oqs-admins: admin liboqs-python-maintainers: admin - oqs-release-managers: maintain + liboqs-python-release-managers: maintain oqs-committers: write oqs-contributors: write bots: write From a464dbbdd24e24a30a66c5cab65599070bcfe663 Mon Sep 17 00:00:00 2001 From: Ry Jones Date: Wed, 25 Sep 2024 10:10:02 -0700 Subject: [PATCH 12/13] Add thelinuxfoundation account explicitly as an org owner Signed-off-by: Ry Jones --- config.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config.yaml b/config.yaml index 03ecb5c..8b938f1 100644 --- a/config.yaml +++ b/config.yaml @@ -1,4 +1,10 @@ teams: +# org owners +- name: org-owners + maintainers: + - ryjones + - thelinuxfoundation + # admin access on all projects - name: oqs-admins maintainers: From 236ba1ce1b575dc1c73a8fea96dd0ef46b6a5762 Mon Sep 17 00:00:00 2001 From: Spencer Wilson Date: Thu, 26 Sep 2024 10:39:06 -0400 Subject: [PATCH 13/13] Separate CODEOWNERS into separate teams to better enforce least privilege * downgrade oqs-contributors to triage * merge oqs-contributors team with triage team * factor out liboqs-codeowners and oqs-provider-codeowners Signed-off-by: Spencer Wilson --- config.yaml | 84 ++++++++++++++++++++++++++++------------------------- 1 file changed, 44 insertions(+), 40 deletions(-) diff --git a/config.yaml b/config.yaml index 8b938f1..41e5f59 100644 --- a/config.yaml +++ b/config.yaml @@ -27,13 +27,6 @@ teams: members: - fcasal - tob-scott-a -# triage access across technical projects -- name: triage - maintainers: - - dstebila - members: - - ajbozarth - - planetf1 # A sensible default for projects without a clear list of Maintainers. # Consists of TSC members who are maintainers of at least one active OQS subproject. @@ -68,13 +61,12 @@ teams: - SWilson4 - vsoftco # A sensible default for projects without a clear list of Contributors. -# Developers who have contributed substantial code to at least one OQS subproject. -# This includes all people who are listed in a CODEOWNERS file in an OQS subproject. # TODO: add/update per-project GOVERNANCE.md files and remove this team. - name: oqs-contributors maintainers: - dstebila members: + - ajbozarth - ashman-p - alexrow - cothan @@ -87,6 +79,7 @@ teams: - jschanck - Martyrshot - pi-314159 + - planetf1 - thb-sb - thomwiggers @@ -125,6 +118,18 @@ teams: - praveksharma - SWilson4 - vsoftco +# liboqs CODEOWNERS +# https://github.com/open-quantum-safe/liboqs/blob/main/.github/CODEOWNERS +- name: liboqs-codeowners + maintainers: + - dstebila + members: + - alexrow + - baentsch + - bhess + - crockeea + - jschanck + - SWilson4 # oqs-provider Maintainers # https://github.com/open-quantum-safe/oqs-provider/blob/main/GOVERNANCE.md#maintainers-1 @@ -140,6 +145,18 @@ teams: - bhess - christianpaquin - thb-sb +# oqs-provider CODEOWNERS +# https://github.com/open-quantum-safe/oqs-provider/blob/main/.github/CODEOWNERS +- name: oqs-provider-codeowners + maintainers: + - baentsch + members: + - alexrow + - bhess + - feventura + - iyanmv + - jplomas + - thb-sb # boringssl Maintainers # TODO: provide "source of truth" @@ -239,9 +256,9 @@ repositories: liboqs-maintainers: admin oqs-release-managers: maintain liboqs-committers: write - oqs-contributors: write + liboqs-codeowners: write + oqs-contributors: triage bots: write - triage: triage tsc: read visibility: public @@ -250,10 +267,10 @@ repositories: oqs-admins: admin oqs-provider-maintainers: admin oqs-release-managers: maintain - oqs-provider-committers: maintain - oqs-contributors: write + oqs-provider-committers: write + oqs-provider-codeowners: write + oqs-contributors: triage bots: write - triage: triage tsc: read visibility: public @@ -263,9 +280,8 @@ repositories: boringssl-maintainers: admin oqs-release-managers: maintain oqs-committers: write - oqs-contributors: write + oqs-contributors: triage bots: write - triage: triage tsc: read visibility: public @@ -275,9 +291,8 @@ repositories: oqs-maintainers: admin openssh-release-managers: maintain oqs-committers: write - oqs-contributors: write + oqs-contributors: triage bots: write - triage: triage tsc: read visibility: public @@ -287,9 +302,8 @@ repositories: oqs-maintainers: admin oqs-release-managers: maintain oqs-committers: write - oqs-contributors: write + oqs-contributors: triage bots: write - triage: triage tsc: read visibility: public @@ -299,9 +313,8 @@ repositories: oqs-maintainers: admin oqs-release-managers: maintain oqs-committers: write - oqs-contributors: write + oqs-contributors: triage bots: write - triage: triage tsc: read visibility: public @@ -311,9 +324,8 @@ repositories: oqs-maintainers: admin oqs-release-managers: maintain oqs-committers: write - oqs-contributors: write + oqs-contributors: triage bots: write - triage: triage tsc: read visibility: public @@ -323,9 +335,8 @@ repositories: oqs-maintainers: admin oqs-release-managers: maintain oqs-committers: write - oqs-contributors: write + oqs-contributors: triage bots: write - triage: triage tsc: read visibility: public @@ -335,9 +346,8 @@ repositories: liboqs-cpp-maintainers: admin liboqs-cpp-release-managers: maintain oqs-committers: write - oqs-contributors: write + oqs-contributors: triage bots: write - triage: triage tsc: read visibility: public @@ -347,9 +357,8 @@ repositories: liboqs-go-maintainers: admin liboqs-go-release-managers: maintain oqs-committers: write - oqs-contributors: write + oqs-contributors: triage bots: write - triage: triage tsc: read visibility: public @@ -359,9 +368,8 @@ repositories: liboqs-python-maintainers: admin liboqs-python-release-managers: maintain oqs-committers: write - oqs-contributors: write + oqs-contributors: triage bots: write - triage: triage tsc: read visibility: public @@ -371,9 +379,8 @@ repositories: liboqs-rust-maintainers: admin liboqs-rust-release-managers: maintain oqs-committers: write - oqs-contributors: write + oqs-contributors: triage bots: write - triage: triage tsc: read visibility: public @@ -383,9 +390,8 @@ repositories: oqs-maintainers: admin oqs-release-managers: maintain oqs-committers: write - oqs-contributors: write + oqs-contributors: triage bots: write - triage: triage tsc: read visibility: public @@ -395,9 +401,8 @@ repositories: liboqs-java-maintainers: admin oqs-release-managers: maintain oqs-committers: write - oqs-contributors: write + oqs-contributors: triage bots: write - triage: triage tsc: read visibility: public @@ -407,9 +412,8 @@ repositories: oqs-admins: admin oqs-maintainers: admin oqs-committers: write - oqs-contributors: write + oqs-contributors: triage bots: write - triage: triage tsc: read visibility: public