I find it hard for me to look at this objectively, since I have been
part of the project for over 8 years now (I think its closer to 9-10).
And have received trust already in various forms. But let me try anyway.
I feel that, as a basic we need a *few* different conventions for trust,
and to try and morph existing conventions/process to suit new needs, if
possible -- rather than having hundreds of divergent processes.
That said, I also do think we need to let each project, likely in
conjunction with some overarching trust caring group, to establish the
"right" process for them.
This boils down to the trust levels for a "Comitter Agreement" being
different than the trust levels for "IT volunteers", different than
trust levels for "Security Group", different than Trust Levels for
(e.g.) SeaMonkey giving someone access to manage the SeaMonkey Releng
infra etc.
Those all have many different trust needs, and likely many different
processes that would make sense.
For me I think the largest entry point is "known", where how that person
is known can vary greatly from reason to reason. Such as an employee
would become known on day 1, but we wouldn't necessarily grant checkin
rights, or root access to our primary DB servers, etc. on day 1. It
would evolve in giving the *employee* (or volunteer) as little access as
possible, for them to do what *we* want them to do.
As the trust relationship forms, from us trusting they won't "screw
something major up" as well as whatever barriers we have in place for
legal-leakage (say a committer agreement preventing them from commiting
exploit code onto our build network, or an IT legal agreement preventing
them from disclosing infrasec issues, etc.)
I myself have been around a long time, and helped out in both verbal
communication and physical work to earn my trust, but 8 years is a long
time to ask a volunteer to devote just to get "trusted" agreed.
Conclusion: very fluid requirements make sense for each area we would
expect to trust a user/person. But we should endeavor to make those
requirements as sane and relatably shared as possible.
--
~Justin Wood (Callek)