pause icon indicating copy to clipboard operation
pause copied to clipboard
verified publisher icon andk

A new model to manage who_pumpkin on PAUSE

Open book opened this issue 1 year ago • 13 comments

After some private discussions this with @neilb and the current Perl Steering Council (@ap, @book, @haarg), it appears that the current list of people with the "pumpkin" permission is too big (there are 53 people on that list at the time of writing).

This list seems to serve two purposes:

  1. keep an historical record of who ever did a release of Perl
  2. authorize (for PAUSE indexing purposes) the people in the list to release a new (stable) Perl

The first job is better handled by the perlhist manual page.

For the second, the risk of inactive account takeover is very real. Some of the people on the list above have stopped doing Perl for a long time (some are even deceased). It would make sense for this list to only contain people who actually need the permission, because they are on the Perl release schedule and will do a release in the near future.

To reduce administrivia, one proposal could be along the lines of:

  • volunteers on the release schedule are given the permission
  • by default, the permission expires a year after having been assigned
  • everyone who has the permission has access to a button on PAUSE to extend it for another year
  • the current PSC members have access to an interface to assign/revoke the permission to another PAUSE user

This should ensure that, after the initial setup, minimal involvement from PAUSE admins is needed (updating the list of PSC members every year). The PSC can assign the permission directly to volunteers, and people who stop contributing to Perl eventually lose the permission over time.

book avatar Aug 01 '24 17:08 book

Further notes: this means that…

  1. … we need a record of who has been listed by who_pumpking over time, which most probably means including it in @batchpause
  2. … if the list stops including everyone who has ever made a perl release then PAUSE needs some other way of remembering which perl releases were authorized at the time of their uploading

ap avatar Aug 02 '24 02:08 ap

Why does PAUSE need to remember which releases were authorized? PAUSE only uses the data when indexing new stable releases. An old stable release isn't treated any differently than an unauthorized release.

haarg avatar Aug 02 '24 06:08 haarg

Right, that’s a MetaCPAN need, not PAUSE. Mixed things up.

ap avatar Aug 02 '24 13:08 ap

MetaCPAN checks permissions at index time and stores those. It does the same for normal CPAN releases. It doesn't use historical data.

haarg avatar Aug 02 '24 14:08 haarg

This seems pretty reasonable to me.

Honestly, I wonder if we can just use a mailing list user to replace the pumpkin bit.

rjbs avatar Aug 04 '24 22:08 rjbs

A mailing list user?

ap avatar Aug 05 '24 23:08 ap

A mailing list user is a special thing in PAUSE. See:

  • https://pause.perl.org/pause/authenquery?ACTION=show_ml_repr
  • https://pause.perl.org/pause/authenquery?ACTION=select_ml_action

But basically, it's a user that other users can impersonate. So there's a P5P mailing list user that has first come on some libraries. Then any normal user who is a member of the "mailing list" can impersonate P5P to do stuff: generally, name comaintainers. You can't upload something as a mailing list user.

So, we'd make a PERLREL mailing list user and update the "is user pumpking?" checks in pause.git to instead say "is user member of PERLREL"?

rjbs avatar Aug 06 '24 01:08 rjbs

Ah. Sounds sensible (to me – which is not saying much here).

So, we'd make a PERLREL mailing list user

I think the obviously correct name for this account would be PUMPKING. 🙂

ap avatar Aug 06 '24 01:08 ap

I think the obviously correct name for this account would be PUMPKING. 🙂

:) But personally, I would rather we avoid that term, as (a) the position is retired and (b) it is inherently gendered.

rjbs avatar Aug 06 '24 23:08 rjbs

I think the obviously correct name for this account would be PUMPKING. 🙂

:) But personally, I would rather we avoid that term, as (a) the position is retired and (b) it is inherently gendered.

"Pumpkin holder" is more appropriate, and not gendered. 🎃

book avatar Aug 07 '24 09:08 book

There was also the discussion of automating the releases of Module::CoreList, so maybe P5P, PORTERS, or something more general would be better.

Naming is hard, but also a later step, if there's some code to be written to support this.

book avatar Aug 07 '24 09:08 book

In the PAUSE interface

  • "List of pumpkins" in the sidebar could be "Perl releasers" or "Authorised Perl releasers"
  • The same for the page title
  • "pumpkin bit holder" can be "authorised releaser of Perl", or "perl release bit holder".

Those of you who think "authorised" should be spelled "authorized" can bite me. Or change it to "approved", I guess.

This name also makes clear that it should just be people currently considered acceptable / potential releasers, and so a load of people can lose their bit, including me.

neilb avatar Aug 07 '24 09:08 neilb

Naming is hard, but also a later step

My bad, sorry about that.

ap avatar Aug 07 '24 14:08 ap