Remove "needs backport to 3.6" label

(Ned Deily) #21

@Mariatta, Yes, I am aware of that :slight_smile: However, in this case, the merger did not have any special privs, AFAICT.


PR 11477 was merged by @Senthil, who appears to have Admin access to python/cpython.


(Ned Deily) #23

@Mariatta, oh, thanks! I was looking in the wrong place.

(Brett Cannon) #24

Admin access probably needs to be cleaned up as it’s currently broader than RMs and those of us maintaining a webhook. Once 3.4 hits EOL in March I plan to talk it over with Ernest about a reasonable criteria for who gets admin access for security – and now branch access – reasons (and my guess it will simply tighten to those maintaining an active webhook or RMs :smile:).

(Victor Stinner) #25

Does GitHub support different permissions for different group of people?

(Brett Cannon) #26

There’s read, write, and admin. They can be set at the individual or GitHub team level (e.g. Python Core has write access while Release Managers has admin access).

(Senthil) #27

I do. When we migrated from hg to git, I needed that access, it was left like that. I may not need it any longer, but I can ask again if I need it or we leave at status quo too, and I can use for helping others when required.

  • PR11477 merging was a mistake, which has been corrected now by revert.

    • The version in bpo was having 3.6 set, and I didn’t realize we have 3.6 in security only fix mode.
    • I didn’t know that if the bot was not auto merging on purpose and thought, it needed manual intervention.

I hope the discussion on this topic: Removal of “needs backport to 3.6” can be separated from the above incident can be continued.

(Senthil) #28

I read this discussion completely.

I’d go with Ned (RM for 3.6) having the authority on if we should remove “Needs backport to 3.6” label on not.

  • Just we do not remove the selection of 3.6 in it can be argued that we do not remove that label in project too. (Side note: the issues themselves needs to be pruned for correct selection now that 3.6 is in security fix only mode).

  • Now that the previously set labels are removed from PRs. Keeping the label itself seems harmless to me, and the label will help us if we really want to backport security fixes automatically PRs automatically. (Imagine doing the backport via the computer in your pocket standing in the trains, labels,github, ui etc are helpful here).

  • There were 2 mistakes so far, and it can be corrected as we realize 3.6 is security fixes only. And current automation provided by miss-islington bot is actually very good IMO.

(Nathaniel J. Smith) #29

Would it be helpful for the bot to somehow signal the issue, e.g. posting a comment saying “only release managers can backport to this branch”?

(Brett Cannon) #30

I think fixing the permissions issue is the easier solution. That doesn’t require custom code and for security purposes we should do it anyway.