Limit ownership of rust-lang crates published on crates.io #203
Description
For maximum security, we could remove all owners from the rust-lang crates published on crates.io except rust-lang-owner, but we need to make sure we don't limit what people can do.
E.g. how do people yank a crate if they are not owners? One solution might be that the process to yank a crate is simply to request to an infra-admin in the t-infra zulip chat to yank it. Infra admins can yank a crate from the crates.io UI.
This could work if we yank crates rarely.
In case people need to yank crates more frequently and infra-admins become a bottleneck, than we could automate yanking crates with github actions somehow.
E.g. we could create a repo where we list yanked versions for each crate, and a CI job yanks the versions listed.
We could protect the files with codeowners, so that teams can self-approve yanking versions.
- Also ensure that no crates-io tokens exist for the crates?