New teams

[ryjones]

Creating teams for repos

[ryjones]

@baentsch @bhess this is to move people from collaborator roles to teams with roles. The level of access should remain the same - most of the collaborators were already members of a team with identical access.

[clowarden]

Validation succeeded

✅ The proposed configuration changes are valid!

Configuration changes

Directory

• team liboqs-cupqc-maintainers has been removed
• team liboqs-cpp-admins has been added
  • Maintainers
    • vsoftco
• team liboqs-go-admins has been added
  • Maintainers
    • vsoftco
• team www has been added
  • Maintainers
    • crockeea
  • Members
    • SWilson4
    • christianpaquin
    • praveksharma
    • vsoftco
• team liboqs-java-committers has been added
  • Maintainers
    • ryjones
  • Members
    • jimouris
• thomwiggers is now a member of team liboqs-committers
• ashman-p is now a member of team liboqs-committers
• cothan is now a member of team liboqs-committers

Github

• user Martyrshot is no longer a collaborator of repository liboqs
• user cothan is no longer a collaborator of repository liboqs
• user thomwiggers is no longer a collaborator of repository liboqs
• user ashman-p is no longer a collaborator of repository liboqs
• team liboqs-cpp-admins has been added to repository liboqs-cpp (role: admin)
• user vsoftco is no longer a collaborator of repository liboqs-cpp
• team liboqs-go-admins has been added to repository liboqs-go (role: admin)
• user vsoftco is no longer a collaborator of repository liboqs-go
• team liboqs-java-committers has been added to repository liboqs-java (role: write)
• team oqs-provider-codeowners role in repository oqs-provider has been updated to admin
• team www has been added to repository www (role: write)
• user praveksharma is no longer a collaborator of repository www
• user christianpaquin is no longer a collaborator of repository www
• user vsoftco is no longer a collaborator of repository www
• user SWilson4 is no longer a collaborator of repository www
• user crockeea is no longer a collaborator of repository www

---

🔸 Please review the changes detected as they will be applied immediately once this PR is merged 🔸

[ryjones]

@baentsch please review

[baentsch]

As far as oqsprovider is concerned, this seems to go from too few permissions for too few people to too many permissions for too many people. Is there no way to model exactly what's documented in GOVERNANCE.md (unless answers to #45 contradict that)?

[clowarden]

Reconciliation completed

✅ The reconciliation completed successfully and all changes have been applied across the services!

Changes applied

Github

• team liboqs-cpp-admins has been added
  • Maintainers
    • vsoftco
• team liboqs-go-admins has been added
  • Maintainers
    • vsoftco
• team liboqs-java-committers has been added
  • Maintainers
    • ryjones
  • Members
    • jimouris
• team www has been added
  • Maintainers
    • crockeea
  • Members
    • SWilson4
    • christianpaquin
    • praveksharma
    • vsoftco
• cothan is now a member of team liboqs-committers
• thomwiggers is now a member of team liboqs-committers
• ashman-p is now a member of team liboqs-committers
• user thomwiggers is no longer a collaborator of repository liboqs
• user ashman-p is no longer a collaborator of repository liboqs
• user cothan is no longer a collaborator of repository liboqs
• user Martyrshot is no longer a collaborator of repository liboqs
• team liboqs-cpp-admins has been added to repository liboqs-cpp (role: admin)
• user vsoftco is no longer a collaborator of repository liboqs-cpp
• team liboqs-go-admins has been added to repository liboqs-go (role: admin)
• user vsoftco is no longer a collaborator of repository liboqs-go
• team liboqs-java-committers has been added to repository liboqs-java (role: write)
• team oqs-provider-codeowners role in repository oqs-provider has been updated to admin
• team www has been added to repository www (role: write)
• user praveksharma is no longer a collaborator of repository www
• user SWilson4 is no longer a collaborator of repository www
• user crockeea is no longer a collaborator of repository www
• user vsoftco is no longer a collaborator of repository www
• user christianpaquin is no longer a collaborator of repository www

[baentsch]

@dstebila Can you please explain why you think it's a good idea to give admin rights to oqs-provider to everyone with a "code-owner" designation? If I'm not wrong, you now approved all contributors to have even more privileges than normal GH maintainer(s): This is IMO the exact opposite of the least privilege concept and also a direct contradiction to GOVERNANCE.md. The latter irks me even more than the security downgrade: Why did I write this in the first place if not to provide some "guard rails" protecting the code?

[dstebila]

@dstebila Can you please explain why you think it's a good idea to give admin rights to oqs-provider to everyone with a "code-owner" designation? If I'm not wrong, you now approved all contributors to have even more privileges than normal GH maintainer(s): This is IMO the exact opposite of the least privilege concept and also a direct contradiction to GOVERNANCE.md. The latter irks me even more than the security downgrade: Why did I write this in the first place if not to provide some "guard rails" protecting the code?

You're right. What level of access should the codeowners team have?

[baentsch]

You're right. What level of access should the codeowners team have?

Codeowners in my eyes are Contributors and should have the same rights. But I already don't understand the separation of "codeowners" and "contributors" to begin with. This only exists in oqsprovider, no-where else: Why?

In general, I think the whole file is a big mess, completely un-structured, not orthogonal across projects and not in line with GOVERNANCE.md files where present. Yes, it did become better recently with the introduction of teams (though not consistently, see e.g., boringssl), but still, I don't understand why there's not a simple, orthogonal/per-project "maintainers", "committers", and "triage" category with admin (or maintain, if no sufficient trust exists), write, and triage rights, respectively as per our governance rules? Related question: Why is there a need to sometime have "admin" and sometime "maintainer" and sometime both teams per sub-project? Then: Why is there absolutely no documentation (e.g., as to exceptions to the "orthogonality" rule)?
This "orthogonality" can be simplified by having a single triage team triaging all OQS projects (as is the case if I get it right) and a single language-wrapper sub-project "designator" for all language-wrapper projects but rust (not the case right now, if I get it right). These changes alone should cut the size of the file substantially and make it understandable to the unwary (or at least me :). In any case, it should never violate GOVERNANCE.md files as it did from the very start until now. Lastly, I don't understand why an admin often (but not always) is maintainer (e.g., of teams): If this should be managed by the community, only community members (arguably maintainers) should be listed. I understand it was started by an admin to manage the multitude of projects, but at no time did I see agreement (and adherence) to basic principles like these:

• Never violate GOVERNANCE.md files' contents where present
• Keep things orthogonal across projects -- if not, document by comment why it's not possible so everyone can understand exceptions
• Do not have LF admins overrule maintainer's rights

OK, the latter is probably just my problem since the don't-trust-@baentsch principle started in April when all my permissions were withdrawn, so probably unrealistic/unacceptable to LF. Nevertheless I think it would be a logical principle if the community and not LF admins should control the project('s access rights). Conceptually, what about an OQS-maintainers team listed as maintainer for all sub-project's maintainer team lists? In my "ideal" world, every person would be listed in as few teams as possible, ideally just one -- every additional use of a specific person's ID should be accompanied by a comment. This way, it becomes obvious when specific persons become "risky" (in terms of "key person risk") and the community aware of the need to do something about it.

As usual, sorry for the long text & disregard as you see fit.

[SWilson4]

Codeowners in my eyes are Contributors and should have the same rights. But I already don't understand the separation of "codeowners" and "contributors" to begin with. This only exists in oqsprovider, no-where else: Why?

I actually created the "oqs-provider-codeowners" team here so as not to override the oqs-provider GOVERNANCE file. Codeowners need "write" access in order to approve pull requests. Requesting codeowner review on PRs was the stated purpose of open-quantum-safe/oqs-provider#458, so the codeowners added there needed to have "write" access at minimum. However, the codeowner list included people who were not listed as committers in the GOVERNANCE file, so I couldn't simply add them to the "oqs-provider-committers" team (which already had sufficient perms) without overriding that file.

[SWilson4]

Perhaps our Committers ought in fact to have "maintain" privileges, Maintainers ought to have "admin" privileges, and Contributors (incl. people in the codeowners file) ought to have "write" privileges? (See here for documentation on perms.)