Retrospective from the recent XZ vuln

[evelikov]

As many of you have seen in the news XZ suffered a very serious vulnerability recently. Looking through the various discussions and reflecting, here are some actions I would love to see:

• encourage cross reviews from everyone - add to CONTRIBUTING
• maintenance lack of time vs funds - ditto mention in the CONTRIBUTING/README
• the fix and test must be in same PR - ditto CONTRIBUTING
• ban direct pushes to master branch in GH settings - document in MAINTAINERS
• add protect tags (pattern) in GH settings - MAINTAINERS
• use signed tags for releases - MAINTAINERS
• require signed commits for maintainers (how to check/enforce?), recommend for others - CONTRIBUTING
• list current maintainers (in MAINTAINERS) and general response time (CONTRIBUTING)
• set security policy (use Github?) and add some docs

@scaronni @xuzhen what do you think?

[scaronni]

Hi @evelikov I'm fine with all of them. In the meanwhile I've made you an admin, as my time is really limited:

Feel free! I would suggest protecting the master branch is an easy win. Thanks!