PEP 13: Python Language Governance

PEP 13 names two privileges that core team members can temporarily lose when inactive: voting or nominating for the steering council, and commit access.

There’s no time limit on core team membership. However, in order to provide the general public with a reasonable idea of how many people maintain Python, core team members who have stopped contributing are encouraged to declare themselves as “inactive”. Those who haven’t made any non-trivial contribution in two years may be asked to move themselves to this category, and moved there if they don’t respond. To record and honor their contributions, inactive team members will continue to be listed alongside active core team members; and, if they later resume contributing, they can switch back to active status at will. While someone is in inactive status, though, they lose their active privileges like voting or nominating for the steering council, and commit access.

Voting

We handle the voting part:

As part of compiling the voter roll for annual SC elections, we start with a list of people who have committed to the CPython repo in the previous two years, and consider these active.

Anyone whose status is pending a change to “inactive” is emailed and asked if they wish to remain marked as “active”. This gives them the chance to still vote even if they’ve not committed recently, and also covers the wide range of important activities that core members perform beyond CPython commits. (See python/voters#81 (comment) for an example email.)

Committing

But we don’t currently handle the commit access part.

During the Language Summit 2024 we discussed “Strengthening Python’s Security Model”, including removing the commit bit for inactive core members.

We further discussed this in python/core-workflow#539 and there is broad agreement it would be sensible to remove commit access for inactive members. We could list them as Emeritus committers, and they can easily regain access when they wish to start contributing again.

Practically, it would make sense to perform this annually as part of compiling the voter roll (potentially with an initial run if there’s a long time until the next election).

I proposed this to the SC in python/steering-council#254, who suggested:

Thanks for raising this! Overall, the SC feels that this is a good addition to the process but will likely defer this decision to the next SC.

In the meantime, we’d like to suggest opening a discussion on DPO to gather community feedback on whether we should split out a Core Developer’s status to support having voting rights but not commit rights. We can see a situation where someone would want to opt-in to being “active” in order to participate in votes, but don’t actually need the commit bit.

Feedback please!

Should we split out a core member’s status to support voting rights but not commit rights?

Would core members, who aren’t actively committing, like the opportunity to vote/nominate in SC elections, but temporarily give up commit rights until they need them again?

Some numbers

For context, running the voters repo scripts, gives 90/198 core members who are active; those who have committed to the CPython repo in the last two years, plus those who’ve declared that they wish to be marked active. Of those, 84 have committed in the past two years.

There’s 128 members in the GitHub python-core team who have commit access.

So perhaps there’s up to ~40 (128-90) people with the commit bit who don’t need it.

Hi,

A couple of comments here:

When you say “commit”, do you mean purely pushing one’s own commits? Or does that include PR merges?

What is the concern exactly? I suspect some inactive core members are active GitHub users, and therefore their credentials are probably not really at risk (at least not without them noticing I guess). Also, 2FA was made mandatory some time ago.

I would not be against it, but I wonder what that entails exactly. Can I still merge other people’s PRs? Also, what is the procedure to get back commit rights?

It’s both commit author and committer, see here, so I think that’s both? In any case, potential inactive people would be contacted before having access removed.

The principle of least privilege says that a user or entity should only have access to what is needed to complete a required task. It would reduce the attack surface for things like malware, stolen or unauthorised access to devices.

You would not be able to merge PRs. Write permission would be removed for the repos the python-core team has access to, such as python/cpython and related github.com/python repos. Practically, I think we’d move them to an “Emeritus committers” team.

I’d suggest something lightweight like opening an issue at python/core-workflow.

I think that it sounds a little bit weird to have a “core developer” who can vote but not merge PRs anymore. If a core developer wants to keep their right to vote, IMO it should stick with the “commit bit”.

I would prefer to only have 3 categories:

• regular contributors: cannot vote nor commit,
• (active) core developers: can vote and commit,
• and Emeritus (inactive) core developers: cannot vote nor commit.

Obvisouly, Emeritus core devs can still be involved if they want. It’s just that if they want to merge PRs again or want to vote again, they should request to get back their “active” role.

From what I understood, no inactive core devs is kicked out, since they can simply request (once per year?) to keep their “active” role even if they are “inactive” (or if they only vote).

The idea is sound, but feels like an administrative nightmare. I’m not volunteering to manage it!

But yes, having “core developer” status not automatically imply “write access to all GitHub repositories” seems good to me. We have enough channels to regain access for anyone active, and at least we have a chance then to identify hijacked accounts (whereas if they get hijacked and have unnecessary access then it’s too late).

I don’t see why we’d need states for can/cannot vote, other than not sending them an annual email with a voting link. But I personally don’t care about the “core developer” title So I guess I need to employ some more imagination for why it’s important to keep the title but not the occasional email.

Same here, but I argued for this when we were discussing whether core devs should keep their voting privileges even if they haven’t committed in 2 years (I was on the “no” side of that).

But I do think keeping commit access “tight” so that people who aren’t exercising them aren’t a security risk is important as well. And trying to clean that up if unused after a year conflicts with the “commits in 2 years” part of PEP 13.

Maybe a way to sort of split the difference is to turn off someone’s commit bit if it goes unused for a year. People can be allowed to vote for 4 more years once they lost commit access automatically. But if you haven’t committed over the entire lifetime of a Python release then at that point you move to emeritus and you don’t get to vote anymore. You can always gain commit access back by asking.

That’s okay, we can ask Ee to do it More seriously, I see it as an extension of what is already done checking for active voters: email new inactive people to check if they wish to remain active for voting. At the same time, we would do a similar thing for active committers: email new inactive people to check if they wish to remain active for committing.

My suggestion is to check yearly, and use the same “no commits in 2 years” to trigger inactive. Partly for clarity, to mirror the inactive voters process; partly for practical reasons, to make it easier to administer.

Having inactive core developers temporarily lose their commit bit with an early reminder and the ability to reclaim it following some review sounds good to me. I think this is especially prudent for a project like CPython where reviews are not mandatory, so a core developer account is already quite able to do harm on its own.

Speaking on the administrative side: I suspect adding this process might handle some tough squishy parts around moving folks to emeritus without someone from the core team needing to both decide and be personally responsible for revoking their access. There are a lot of feels involved in moving on from a project and active commit access doesn’t need to be tied to celebrating past contributions.