Simon Tournier <zimon.touto...@gmail.com> writes:

> Hi,
>
> On Sun, 09 Feb 2025 at 12:43, Tomas Volf <~@wolfsden.cz> wrote:
>
>>> Maybe this is semantic nitpicking, but people who are able to merge are
>>> effectively committers, if only potentially limited to some parts of
>>> the code.
>>
>> Given that Guix is (effectively) just a large Scheme program, does the
>> "limited to some parts of the code" bring any security compared to full
>> access?
>
> Hum, no one is speaking to allow random person able to merge random
> piece of code. :-)
>
> I think we could have a kind of “web of trust“.  Somehow, team members
> with write access to some dedicated branches and core* members with
> write access to master.

I see.  One of the suggestions floating here was that vetted
non-committers (non-committer team members) would be able to merge
patches affecting just "their packages", assuming they pass the CI.  My
question was directed towards where it actually brings extra security
compared to just making them committers.

Seems I misunderstood the proposal (and it instead involves branches),
sorry for the noise. :)

Tomas

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

Attachment: signature.asc
Description: PGP signature

Reply via email to