@Mariatta, Yes, I am aware of that However, in this case, the merger did not have any special privs, AFAICT.
Admin access probably needs to be cleaned up as it’s currently broader than RMs and those of us maintaining a webhook. Once 3.4 hits EOL in March I plan to talk it over with Ernest about a reasonable criteria for who gets admin access for security – and now branch access – reasons (and my guess it will simply tighten to those maintaining an active webhook or RMs ).
Does GitHub support different permissions for different group of people?
There’s read, write, and admin. They can be set at the individual or GitHub team level (e.g.
Python Core has write access while
Release Managers has admin access).
I do. When we migrated from hg to git, I needed that access, it was left like that. I may not need it any longer, but I can ask again if I need it or we leave at status quo too, and I can use for helping others when required.
PR11477 merging was a mistake, which has been corrected now by revert.
- The version in bpo was having 3.6 set, and I didn’t realize we have 3.6 in security only fix mode.
- I didn’t know that if the bot was not auto merging on purpose and thought, it needed manual intervention.
I hope the discussion on this topic: Removal of “needs backport to 3.6” can be separated from the above incident can be continued.
I read this discussion completely.
I’d go with Ned (RM for 3.6) having the authority on if we should remove “Needs backport to 3.6” label on not.
Just we do not remove the selection of 3.6 in bugs.python.org it can be argued that we do not remove that label in github.com/python/cpython project too. (Side note: the issues themselves needs to be pruned for correct selection now that 3.6 is in security fix only mode).
Now that the previously set labels are removed from PRs. Keeping the label itself seems harmless to me, and the label will help us if we really want to backport security fixes automatically PRs automatically. (Imagine doing the backport via the computer in your pocket standing in the trains, labels,github, ui etc are helpful here).
There were 2 mistakes so far, and it can be corrected as we realize 3.6 is security fixes only. And current automation provided by miss-islington bot is actually very good IMO.
Would it be helpful for the bot to somehow signal the issue, e.g. posting a comment saying “only release managers can backport to this branch”?
I think fixing the permissions issue is the easier solution. That doesn’t require custom code and for security purposes we should do it anyway.