What does vetted role mean?
https://drupal.stackexchange.com/questions/296929
-
27-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I just read in drupal.org site this comment:
A user who doesn't have the vetted role cannot become the only maintainer, or the project maintainer, of a project that opted into security coverage, in the same way a user without the vetted role cannot take over a project that opted into security coverage.
I tried to found what is this on the site without luck and I really don't have an idea.
Does somebody know what means vetted role in drupal.org?
Solution
In order for a Drupal contributed module to be eligible to be tagged as a security monitored project, one or more of the maintainers have to be 'vetted'.
Here is the main Drupal security policy on this. See the "Which Projects are covered" section. There is a link in this to the process of becoming 'vetted'.
Basically, you submit a Drupal.org project to a queue. Eventually, security community members will review it for use of best security practices, code quality, and some other stuff. If approved, the maintainer becomes 'vetted'. Unfortunately, this process can take a long time to happen.
Once you have a project approved and are 'vetted', any other projects you maintain can be labeled as covered by the security community.
OTHER TIPS
I used the term vetted role because vetted is the term that appears in the user profile, to users that on Drupal.org have the Git administrator role.
In places listing the possible roles Drupal.org can have, Git vetted user is one of them.
Before the ability of opting into security advisory coverage was introduced, that role allowed users to create a full project; without that role, user were only able to create sandbox projects. That is when the vetted role was introduced.
Nowadays, the documentation speaks of being able to opt into security coverage, for example Apply for permission to opt into security advisory coverage or Security advisory process and permissions policy. The term vetted is still mentioned in those pages, but in Security advisory process and permissions policy it appears only once. (It's probable that most users would not catch what vetted means, nor they will notice that term.)
Today, users who want to apply to opt into security coverage for the projects they create are the ones going to get the vetted role. Those aren't the only users who have that role, though. The vetted role has been given to:
Users who have asked for the permission to be able to create full project (and not only sandbox projects). Now every user, even the ones who don't have the confirmed role, can create full projects, but they still need the vetted role to opt into security coverage for the projects they create.
Users who in the past asked for the permission to commit code into the Drupal.org CVS repository. Now Drupal.org uses Git (in particular an instance of Gitlab running on a drupal.org sub-domain), but the users who asked to be able to write in the Drupal.org CVS repository had the vetted role given them.
I am one of the users who has reviewed the requests to get the vetted role since the time Drupal.org used CVS.
