The level of trust required is immense. We’re talking about a position where you get the keys to the kingdom to a very large number of projects

I would say that having roadie level access is equivalent to having access to Django core. I have never seen a recent Django project that isn’t pulling something from jazzband

Despite this I think it’s important to highlight that even in that world jazzband had a lot of infra so that projects could do things like releases cleanly and safely (we aren’t doing direct project releases to pypi but going through jazzband infra to do the release). So release maintainers have a lot less access despite releases “coming from” Jazzband

Why are we assuming that there were lots of volunteers in the first place? If this is such a high-trust position, it should be called something other than "roadie". I thought it was common knowledge that the term "roadie" is considered mildly derogatory, and that the modern word was more specific and skill-based, i.e. "stage manager", etc.

As an N=1 example, I myself have some experience with various Django packages including some Jazzband ones. Around 7 years ago I looked at this organization, thought about volunteering to be a "roadie", and specifically decided not to do so due to the terminology. I'm pretty sure that something like "Looking for trusted co-maintainers with a history of FOSS contribution" would draw in more folks than "Looking for roadies".

If you're going to say "well no one complained", guess what, I didn't either. People will just quietly decide to not volunteer due to stuff like this; leading to a shortage over time.

Summary: Branding and acknowledgement matters, so check carefully what you call the volunteers that you're expecting tens of hours of free work from.

> The level of trust required

Maybe it could be mitigated by having some kind of council and requiring m out of n signatures to do anything?

I know that people on HN hate Bitcoin, so I'm always a bit vary to use it as an example.

But I think that in such cases having something similar to Bitcoin multisig could help.

That requires a lot of infra that isn’t built into _any_ of our tooling.

It’s not so much about decision making as it is about the practical reality that people at that level basically need at least read access to a lot of secrets.

You could say “maybe jazzband can infra its way out of those problems” but that’s a looooot of work! “N out of M consensus on making a GitHub API request to set who is a maintainer” * every single action roadies need to do

It’s not just about bad actors either. Imagine a jazzband roadie getting credentials stolen via some npm-y attack. Obviously this problem exists in the project in the current form but _that problem gets worse just onboarding people_

> maybe jazzband can infra its way out of those problems

Maybe jazzband can't infra their way out of the problem, but maybe we can create some tools that will help orgs that encounter this problem in future...

... that's a software engineer in me talking. I have no idea how to organize communities, but I may know a thing or two about making software. And when you've got a hammer in your hands everything starts looking like a nail...

yeah tbqh I think the biggest challenge with tooling on that front is that this really is a problem mostly limited to community projects. The problems jazzband need to solve don't exist nearly as much in a universe where everyone is in a company on some payroll

In most corporate environments while it might make sense to do N of M in the high security case it's not really a thing that people will jump for for the first... uhhh 10k employees of a company's lifetime.

Yep trust was always the issue here really. Don’t blame Jannis at all for being super careful about that.