We'd like to request that ownership of the following modules which are currently owned by mark_fullmer be transferred to a new organizational account representing the University of Texas at Austin: https://www.drupal.org/u/utexas, to reflect our commitment to organizational stewardship of these modules.

- https://www.drupal.org/project/layout_builder_restrictions
- https://www.drupal.org/project/media_library_theme_reset
- https://www.drupal.org/project/responsive_tables_filter
- https://www.drupal.org/project/bootstrap_horizontal_tabs

Please let me know if I need to provide any additional information.

Comments

utexas created an issue. See original summary.

mark_fullmer’s picture

I am the current owner of the four modules listed above, and I approve this transfer of ownership to the utexas user.

cmlara’s picture

Status: Active » Needs review

The 4 above projects appear to be covered by the security advisory policy.

It is my understanding that webmasters are prohibited from transferring security advisory policy covered modules to owners who are not vetted.

The utexas account does not appear to be vetted and appears from its profile to be a shared account which can not be vetted.

Leaving as needs review for a webmaster to provide a more authoritative response..

gravelpot’s picture

Hi cmlara, I am the individual who set up the utexas account. Before creating the account, I confirmed that this looked compliant with the D.o terms of service (see https://www.drupal.org/terms#accounts):

If you are sharing your user account with multiple people you are allowed to:

  • Create project nodes
  • Create organization nodes
  • Create case study nodes
  • Submit translations to localize.drupal.org

Any help you can provide in working through this issue is appreciated. Thanks in advance.

cmlara’s picture

Hello gravelpot,

The procedure to receive the the vetted role (also known as permission to opt into security advisory coverage) is governed by Apply for permission to opt into security advisory coverage. The process is geared towards individuals. An applicant is required to have code committed under their account which shared accounts are prohibited from doing. (I'm not particularly found of this process however it is the current policy.)

A recent issue where a project owner (with the vetted role) tried to transfer an enrolled project to an non-vetted user is #3103361: Transfer ownership of Browser Detect. I personally don't agree with restricting who a project owner can transfer to, however I believe it has been required by the Security Team so that they have someone who has "proved they know how to write secure code" responsible for the project and (in theory but perhaps not in practice) auditing all code submitted by maintainers/co-maintainers to keep security issues from occurring in releases.

It is my understanding that policy on not transferring to non-vetted accounts applies to organizations as well (otherwise a non-vetted user could just create an organization account to bypass the policy) though there is always a chance I am mistaken.

The policy creates a rather annoying quirk. Anyone can own a project and any vetted maintainer or co-maintainer can opt a project into security coverage (a project could end up with a non-vetted owner which could be an organization) however after that it can only be transferred to vetted accounts which prevents organizations from becoming owners after the project is enrolled in security advisory coverage.

avpaderno’s picture

Assigned: Unassigned » avpaderno
Status: Needs review » Fixed

I transferred the ownership as requested.

Shared accounts aren't allowed to commit code. It won't make sense to ask shared accounts to have the permission to opt into security coverage, since applications coming from a shared account would be rejected.

avpaderno’s picture

gravelpot’s picture

StatusFileSize
new308.36 KB

Hi @apaderno, thanks for taking care of these so quickly.

Quick question -- I always thought that the "owner" of a project was visibly reflected on the project page as the username listed as "Created by," but that didn't change with all of these ownership changes (see screenshot). I recall seeing this change in high-profile cases of contrib module ownership changes in the distant past.

Is this no longer the case? Is there anyway to update the username that appears there?

gisle’s picture

It used to be the owner.

However. note that it now says: "Created by". It is not necessarily the owner, but the person that initially created the project. AFAIK, there is no way to figure out who current owner is from the GUI.

It was changed in February this year, see: #3099925: Display original project author instead of current node owner on project page.

avpaderno’s picture

You can still see who is the project owner on https://www.drupal.org/node/2975380/maintainers, for example. It's the user on the top of that list, for which the permissions cannot be changed. (That's true for every project for which you have the permission to change co-maintainers/maintainers.)

gisle’s picture

You can still see who is the project owner on https://www.drupal.org/node/2975380/maintainers, for example.

That link returns a 403 for most users here (including me). You've some elevated permissions that allow you to inspect that page.

avpaderno’s picture

@gisle My previous comment was for gravelpot, which asked me a question, to which I answered without repeating what already said in another comment. I apologize for the confusion.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.