My main concerns with this proposal are that:
the Terra Rebel’s repository is currently owned by one person, not by Terra Rebel’s as a whole. @Zaradar has stated “I created and own the TR repo” (click here for source). I respect him greatly, enjoy the conversations I have had with him, even where we sometimes disagree (which has always helped to sharpen my thinking, and forces me to have to [re-]research and consider a topic further), I appreciate him as a person, and I respect him as a developer, but it is a concern for me that the repository is owned by a single person that is contributing code as one of the few owners (rather than Terra Rebel’s as a whole), at least if the goal is decentralization. I would feel the same if it were a github org that I owned as repository owner.
While the classic-core repository holds a portion of the protocol’s code, it does not hold all of it. The cosmos-sdk holds custom pieces of code that are also part of the protocol for instance. The classic-docs holds the documentation which defines, in written form, certain aspects of the protocol for developers (who then is the official source for documentation for instance). While classic-core is important because it is the repository that holds the finalized release code, there are other repositories that should also have been included in this list.
There are no processes listed about independent security review or testing requirements that would be appropriate for a repository to maintain trust as authoritative (although to be fair, there was not for TFL that I am aware of)
A month ago I was considering opening a discussion for a potential proposal that was essentially the same in substance as this one. I pointed out at the time something that @ek826 also recently pointed out, which is the official github org (collection of repositories) can be changed at will through a Terra v1 governance vote (and should if there becomes any concerns about honest procedure with the code, review, security, or distribution path to validators).
For me the issue of having a single trusted repository, preferably decentralized, was mainly one of security. It appeared a single source would provide better security as well as meet the goals of community contributions that are contributed as implementations of governance proposals that had passed, and were independently reviewed by multiple sources (primarily for security) and had appropriate testing. A single repository, with clear rules about what is considered appropriate vs. inappropriate for code, security, testing, and community contributions, based on Terra v1 governance, could provided a trusted source, as the cosmos-sdk documentation states is necessary. It made sure that multiple repositories were not diverging and causing issues with code regression (or subtle security issues either unintentionally or intentionally). It does not necessarily, however, provide for node diversification, which is a goal @Zaradar has mentioned he personally would like to see.
I did not pursue it any further since proposal 4159 gave a template that could be used, and handled the security and testing aspects without necessarily needing a single repository, however this proposal, while still open as a proposal, offers the opportunity to rethink this.
It should be stated as well that a person can change their vote, one way or the other, during open voting.
If this proposal should pass, then I am hoping to open a discussion around aspects of code review and distribution (just to make sure there are clear guidelines from the Terra v1 governance community on aspects that signal when it should choose to change the official/authoritative/canonical set of repositories). Things such as:
Is it appropriate to distribute to validators without a Terra v1 governance vote, and if so, on which issues (possibly such as a Common Vulnerabilities and Exposures (CVE) high or medium vulnerability in the code directly or for a referenced library, after appropriate testing)?
What level of review, security procedure, and testing must be done before a release?
What repositories, or functionality in repositories, require a Terra v1 governance vote (such as the documentation states that those things that change the protocol, but also the functionality around governance and staking that is documented as the official way a person is to interact with governance [such as the ability to stake as well as governance section of Terra Station, since they are currently documented as the way for non-application-developers or validators to interact with those portions])?
Under what conditions should a genesis event, or friendly fork, happen?
If this proposal should not pass, then the discussion may also include using security review service/volunteers to host a primary and secondary org of mirrored repositories as the authoritative repositories for the Terra v1 community with the goal of providing equal access to community developers for contributions that further governance proposals that have passed. The repositories could be traditional hosted services such as github, gitlab, atlasian, etc; or it could be a decentralized option such as Radicle (one review here)
Just a few thoughts.