Adopt and publish a "Maintainer Covenant" for this project
broofa opened this issue · 3 comments
Are there any opensource projects that publish covenants around their security / maintenance practices? Something we could use as a template...?
I'm thinking of something similar in spirit to the contributor convenant, but that enumerates basic principles of good project management (esp. as relates to security) that the maintainers commit to. I ask because there has been yet another breach in a popular NPM module, and the circumstances seem all too familiar. Having such a document would, I believe, help encourage maintainers to check these boxes as their projects become more popular, and I believe (read, "hope"), that we've reached a place where this project could set a good example.
Off the top of my head, some items this could cover:
- Security
- Use of 2FA (required for all maintainers, all relevant accounts. Esp. GitHub & NPM)
- Use of password managers for managing credentials on personal devices
- Handling of shared passwords and access tokens (ref. Secrets)
- Maintainer team
- Minimum size (to allow for code review, and mitigate Bus Factor issues)
- Qualifications expected
- Vetting process
- Code access
- All commits to master require review
I’m all for it! I believe that we did a good job so far implicitly, but I agree that it would be worthwhile to formalize this!
(reopening since this was accidentally closed because of a push to master)