On Wed, Mar 17, 2021 at 6:36 PM Dustin Ingram
One of the last things we need are a few folks to offer to be designated as "lifters" for the following projects:
pypa/packaging pypa/pip pypa/pipenv pypa/setuptools pypa/setuptools-scm pypa/twine pypa/virtualenv pypa/wheel
[...] Ideally, at least one person with the commit bit for a given project will be a lifter.
AFAIK jaraco has been a lifter for setuptools for the last two or three years. He's even got some automation for auto-uploading release note there. Does it really need more lifters?
I don't imagine the volume of requests here will be very high. (One thing we'll definitely have to do is document a security/vulnerability disclosure policy for all PyPA projects.)
Agreed, from my experience they want the supported releases marked, their marketing texts+links injected into project docs/pages, security set up, each lifter needs to set up 2FA on GH and PyPI. Among higher- maintenance tasks, there's the need to add release notes when publishing new versions, for example. And occasionally they invent new tasks to be performed. FYI they offer using their email for reporting security bugs and AFAIR they can also help facilitate the fixing and disclosure process. I recently had to deal with a security issue in aiohttp but I didn't switch the policy to be routed through them and instead used GitHub's Advisories features to work on the fix, make an advisory and request a CVE (all within GH UI except for the initial report over email). Then, I just went to Tidelift and entered the existing CVE + the range of affected versions. That said, I think PyPA may need to clarify the unified process and decide whether it's worth routing the reports through Tidelift or handle this differently. -- Warm regards, Sviatoslav Sydorenko Software Hacker @ Ansible Core --- https://useplaintext.email/ () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments ---