PEP 8016 - The steering council model

Committers
35

Yeah, I hear what you’re saying! This is a tricky and sensitive topic.

To clarify how the PEP currently works…

  • Normally, when a new core dev is nominated, then the existing core devs do a vote, and if >=2/3 are in favor, the person becomes a core dev, and that’s it.
  • If the steering council wants to veto, then the council members have to vote amongst themselves.
  • This is a general rule – individual council members don’t have any special power. All the council’s special powers require a vote.
  • The council votes are always simple majority (reference), except for the special case of ejecting an existing core team member, which requires a supermajority. So a veto requires a simple majority.

Background/motivation

The council veto was one of the things we copied directly from Django (you can read their version here). They’ve never actually used the veto in real life, and I hope that we’ll never use it either. But, there’s one specific situation where it’s important.

Imagine there’s some developer who has a good public reputation, but you know that in private they’re an abusive manipulator who does terrible things to people. Now, because they have a good reputation, someone nominates them as a core dev, and all your fellow core devs innocently vote for them, because they have no idea that there’s any issue. What do you do? You could speak up about what you know… but if you do that in public, then you know the dev will come after you, try to ruin your reputation, stalk you, make you lose your job … you’ve seen them do it before to other people, and you can’t risk it. The veto gives you another option: you can go privately to the steering council, and share what you know. And if they’re convinced, then they can use their veto.

Again, we hope this never comes happens. And it’s far from perfect. For the council to announce that they’re rejecting a core dev and they can’t explain why… that is a truly shitty thing to do. But there are situations when the alternatives are even worse.

Is it likely to be abused? I don’t think so – remember that the council is elected by the core devs, so for a veto to happen you’d need at least 3 widely-trusted people to all be convinced that this was the best option, despite all the downsides. And if it ever happened, it would be super controversial. If the 2/3 of core devs who voted to promote the dev don’t trust the council, then that’s enough core devs devs to kick out the council with a vote-of-no-confidence, or even to modify the governance PEP to remove the council’s right to use a veto.

Alternatives

Personally I think it’s good to have some kind of way to eject toxic people that doesn’t require dragging everyone into a giant group discussion, but I’m not too fussed about the details, because it should be a very rare and special event.

Technically the veto power isn’t strictly necessary, since the PEP also has a way for the steering council to eject core team members via a special vote (basically for the same reasons as above); in any case where the council would veto a new core dev, they could instead wait for them be elected, and then kick them out again. The only difference is that the eject-an-existing-core-dev vote requires a special council supermajority, while the veto-a-new-core-dev vote only needs a regular council majority, so it’s harder to kick out an existing core dev than it is to block a new core dev from joining. This seems fine to me, but it’s not particularly important… we could e.g. make the veto be a supermajority too, or drop the veto and rely on the regular eject-an-existing-core-dev power alone, if people think something like that is better.

I guess there is one procedural weirdness with the current text, where it’s not exactly clear when the council can use their veto power. Like if someone questionable is nominated to be a core dev, and it takes the council a week to figure out whether they want to veto, and in the mean time they’re promoted, then can the council still use the veto power or do they need to use the eject-an-existing-member power? This kind of procedural edge case is tiresome and unpleasant, so maybe we should merge the two powers to keep things simpler.