alt Hacker News> The level of trust required
Maybe it could be mitigated by having some kind of council and requiring m out of n signatures to do anything?
I know that people on HN hate Bitcoin, so I'm always a bit vary to use it as an example.
But I think that in such cases having something similar to Bitcoin multisig could help.
That requires a lot of infra that isn’t built into _any_ of our tooling.
It’s not so much about decision making as it is about the practical reality that people at that level basically need at least read access to a lot of secrets.
You could say “maybe jazzband can infra its way out of those problems” but that’s a looooot of work! “N out of M consensus on making a GitHub API request to set who is a maintainer” * every single action roadies need to do
It’s not just about bad actors either. Imagine a jazzband roadie getting credentials stolen via some npm-y attack. Obviously this problem exists in the project in the current form but _that problem gets worse just onboarding people_