[ckan-committers] SG members in GitHub org
tk at tkte.ch
Mon Jan 21 17:45:53 UTC 2019
*As the member list continues to grow so does our attack surface. Now is a
good time to enable enforced 2-fa for the organization
(100% of owners currently have 2fa! Woo!)*
*From a security perspective:*
Having steering group members as regular organization members is not an
issue, or even ckan/ckan admins, but adding all of them as full
organization owners seems excessive. A compromised owner account can do
anything, including deleting the entire organization. Do they really need
this level of access?
*My personal opinion:*
Up until now there has been a very clear line between the steering group
(advisory body of *stakeholders*) and the technical team. This change
removes that line completely. If the SG member or their company is
commercially motivated to make a change the technical team disagreed with
it is now entirely within their power to force it through. They can now add
and remove people at will, including members of the technical team. They no
longer *need* to go through the technical team.
To be clear, I do not think any current member of the SG would ever do
something like this. However setting the precedent of all SG members being
org owners does not seem like a good path to take. The steering group's
role in governance should remain an advisory body of stakeholders,
explicitly representing commercial interests in the CKAN project, and
require consent of the technical team to make organization changes.
On Mon, Jan 21, 2019 at 4:09 AM Paul Walsh <paul.walsh at okfn.org> wrote:
> Hi David,
> Yes, sure:
> the request is about governance for sure, which is a very important issue
> for me in general, and also in relation to CKAN. As part of getting access
> to some other data (the Google Sheets behind the census as Steven
> mentioned), I also checked access to GitHub and saw that (a) there are a
> lot of people on the CKAN organisation that I didn't know at what level
> they have access, and that (b) several SG members had no access (including
> myself, currently on the steering group representing OKI). I did not in any
> way think this could be seen as inappropriate, either from the point of
> view of the Association (as the Steering Group is part of the governance
> On Fri, 18 Jan 2019 at 18:46, David Read <david.read at hackneyworkshop.com>
>> This change goes to the heart of ownership and governance of this open
>> project. For full clarity Paul, would you mind answering some further
>> 1. Has the CKAN Steering Board agreed this action or is this an
>> individual request?
> I requested it while I was chasing up another request for another Steering
> Group member (as detailed in Steven's response). When I found I could not
> access these resources (even thought they are in the okfn Google Drive), I
> also checked what else around CKAN I could or could not access. I saw I had
> no membership on the CKAN organisation on GitHub at all, I asked Adria if
> he could add me and others that were missing.
>> 2. What is the reason?
> As the Steering Group oversees the project governance, it does not seem
> controversial that Steering Group members would have access to the
> organisation on github.
>> 3. Are members of the Steering Board now going to make tech changes
>> without the tech team first approving?
> No. But why would access lead to that conclusion?
>> You received this message because you are subscribed to the Google Groups
>> "CKAN Association Steering Group" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ckan-steering-group+unsubscribe at googlegroups.com.
>> To post to this group, send an email to
>> ckan-steering-group at googlegroups.com.
>> To view this discussion on the web, visit
>> For more options, visit https://groups.google.com/d/optout.
> ckan-committers mailing list
> ckan-committers at lists.okfn.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ckan-committers