Best practices for vetting new module owners?


(Robert Kieffer) #1

In light of the “event-stream incident”, are there any formal guidelines/best practices for how to go about transitioning ownership of a module?

For context, I maintain the node-int64 project. I have had little/no interest in maintaining it for several years, but it has “significant” adoption (130+ dependents, 4M downloads/week). I recently added a “Hey, this is no longer maintained / I’m looking for someone to take over” blurb to the README, but I don’t want to risk another event-stream incident. So if/when someone offers to take over, what do people recommend as far as verifying a potential (co)owner’s suitability?


(Adam Baldwin) #2

This is a difficult problem. I certainly don’t have the answer to this but I have some thoughts. There are whole industries dedicated to background checks and interview processes and bad eggs still manage to make their ways into organizations. Maintainers that have moved on from a project or don’t have the time or have burned out typically don’t have the time to go through a rigorous background check process.

Have they contributed to other projects
For me I think I would look at their historic contributions to other projects. This is problematic in a few ways. Maybe all their experience is in a classified space and now they are branching out as their career has changed (I have a few friends in this space that are treated as not having experience because of this). Maybe they are a fresh maintainer with little experience, does that make them unqualified? Maybe?

What have their contributions been to the project?
One might think a good strategy is to give them commit bit or ask them to submit pull requests and then keep control over the publication and distribution process for a period of time. This also isn’t going to be perfect and protect against those long cons with very specific targets in mind.

Start with past contributors
Maybe the right strategy is to start by asking past contributors if they would like a new responsibility. They are a bit more trusted and have already contributed and aren’t coming begging to take over a popular module.