Petition for Multi-Approval Organization Ownership Controls on GitHub

[martinemde]

Select Topic Area

Product Feedback

Body

Summary

We are requesting that GitHub implement a mandatory multi-person approval system for top-level organization ownership changes consistent with their approach of offering code review protections that require multiple approvals. This feature would allow organizations to require a specified number or percentage of owners to approve critical changes, preventing unilateral actions that can compromise entire projects and communities.

Proposal: Organization Governance Controls

GitHub should provide organization owners with the ability to enable and configure approval thresholds for all top-level ownership actions for adding or removing owners, transferring or deleting the organization and changing governance settings.
The system should support multiple approval models, like unanimous, majority, supermajority, or percentage / number of votes systems.

Key Requirements

1. Changing the approval threshold setting itself must require the same level of approval currently configured
2. Enabling governance controls for the first time requires unanimous acceptance from all existing owners
3. Once governance controls are proposed but not yet accepted, no ownership changes can occur until all owners accept or the proposal is withdrawn
4. All approval requests, votes, and outcomes should be audit logged

Motivation

This proposal is directly motivated by the recent ownership dispute that has gone poorly for the community owned open source RubyGems GitHub enterprise. In that incident, a single owner was able to make unilateral changes that the overwhelming majority of other owners opposed, leading to loss of control for legitimate maintainers and community disruption and trust damage.
This feature would have prevented that crisis entirely by clarifying top-level control structures before disputes arose, requiring consensus for ownership changes, allowing the maintainer majority to block unauthorized actions, and most importantly by requiring us to decide this question from the start instead of waiting until it failed.

It's worth noting that even if you disagree with my position on the correct ownership of rubygems, that this would have been much better for Ruby Central as well whichever way the ownership dispute lands. Governance clarity helps everyone.

This is good for

Open Source Projects

• Prevents single points of failure while maintaining legitimate control
• Demonstrates responsible governance to contributors
• Resolves the inconsistency in enforcement mechanisms that often value businesses over individuals

Organizations

• Prevents rogue administrator actions
• Helps meet governance requirements for regulated industries
• Ensures no single person can compromise the organization

GitHub

• Reduces disputes and support burden from ownership conflicts
• Makes GitHub more attractive for organizations with governance requirements
• Positions GitHub as the platform that takes organizational governance seriously

Conclusion

The simplest ownership model governance, requiring multiple people to approve critical changes, is a standard practice in corporate and legal structures worldwide. Every company and open source project would benefit from GitHub offering this protection.
The RubyGems incident demonstrated that GitHub's current all-or-nothing ownership model is insufficient for protecting organizations from internal disputes even with documented practices. All organizations are vulnerable to these problems even if they have legal means and the resources necessary to recover control. Even in the best cases, damage can be done very quickly. We urge GitHub to implement multi-approval ownership controls to prevent future incidents and provide the governance tools that modern organizations require.

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐