Governance updates?

[djc]

cc @worldwise001. Going to set the stage with some context:

• rustls-platform-verifier was originally created within 1Password. It was open sourced and transitioned to live with in the rustls GitHub org (judging from PR history, looks like that happened near the end of 2022).
• @complexspaces has been the primary maintainer both inside (as far as we know) and outside 1Password. As a result, the (perceived?) ownership situation has been that @complexspaces needs to sign off on ~all PRs before they get merged.

@cpu in #119 (comment):

From my perspective the norms for reviewing those PRs hasn't been set in this repo, or written down explicitly. I personally don't feel enough ownership here to blanket +1 updates that don't affect MSRV like I might in rustls/rustls or rustls/webpki.

I remember @complexspaces pushing back on landing the automation and in retrospect I think it would have been better to work through some kind of policy/expectation-setting before landing the automation. Lesson learned :-)

@complexspaces in #119 (comment):

I hope no one feels bad about the current state of the lockfile/dependency updates, that wasn't my intention at all. I tend to not look at the PRs because my OSS time is already fairly limited.

I did push back when first proposed because it seemed weird to me to update dependencies via lockfile just because they had updated, since this is generally not what I do at work or personal projects. I tend to only do dependency upgrades when there's a new direct dependency and then make sure the lockfile is clean as an end result.

For the rustls project, currently @ctz is full-time, @cpu is about half time and I spend quite a bit of time as a volunteer. As such, we have a decent amount of bandwidth for small updates/improvements/maintenance. From what I've observed, @complexspaces often doesn't feel like they have enough bandwidth at work to spend on rustls-platform-verifier, and so their work on rustls-platform-verifier sometimes becomes intermittent (for example, there recently was a bunch of work from their vacation). On the flipside, because the rustls maintainers want to respect the donation of rustls-platform-verifier from 1Password to our project and don't want to cause problems for your internal usage of the project, we are hesitant to make changes without explicit approval from 1Password staff (that is, @complexspaces).

Which led me to this question in #120 (comment):

A potential third topic for discussion: being more explicit about ownership. So far I think we've mostly deferred to @complexspaces on any half-way nuanced changes, but the downside is that @complexspaces has pretty limited bandwidth certainly compared to the other rustls org maintainers. Maybe we can get to a tweaked proposed governance model?

To make this concrete, I think as rustls maintainers it would be nice if we could take a little more ownership of the project, where we would not block merging on PRs without 1Password/@complexspaces approval at least where we feel we have enough expertise (which might be limited for some of the platforms).

(As rustls maintainers, we would also like rustls-platform-verifier to be more broadly used, since it seems like a better/more secure alternative to basic rustls-native-certs -- unfortunately there are still some rough edges here and potential further improvements especially on platforms that don't really have a platform verifier.)

What do people think? (Please feel free to correct me if I've gotten something wrong.)

[cpu]

I'm back from vacation and would be interested in moving this discussion forward. I think djc has done a good job of capturing the state of things (thanks!). I'd like to hear from the 1password folks before weighing in with any further thoughts of my own.

[djc]

@worldwise001 any thoughts? Would be nice to make some progress here.

[djc]

@worldwise001 friendly ping?