[ckan-committers] SG members in GitHub org

Mon Jan 21 18:33:22 UTC 2019

Hey Tyler,

TL;DR: happy to be devolved to member, would be good to know that the
Technical Team also does a review of access in general.

On security I agree with you completely.

No, I, or "we" do not need the ability to delete the entire organisation.

I do not at all mind being a devolved to a Member, especially if the
Technical Team sees access to the organisation and changes to code without
going via the Team as part of the attack surface for CKAN. I have not
thought about access as such a high threat on decentralised code
repositories in this way from other open source projects I participate in,
but if this is part of the threat model for the Technical Team, I am 100%
behind it.

Following, it might then be good for the Technical Team to review who has
access to what across the CKAN organisation on GitHub. From a random sample
now, I see that a bunch of people have Admin access on mapviews
<https://github.com/ckan/ckanext-mapviews/settings/collaboration> who have
either left the CKAN community or never contributed code, and likewise
people <https://github.com/orgs/ckan/people/nibecker> who have left their
CKAN-related roles with Admin access on important repos. I would not have
noticed that without being an Owner, which kind of gets back to the
original issue that led me to ask Adria to add myself and others (who has
access to what).

Thanks for letting us know your concerns, David and Tyler - I've tried to
take them onboard. Let me, or the SG, know if anything is still unresolved
with this issue.

Best,

Paul

On Mon, 21 Jan 2019 at 19:46, Tyler Kennedy <tk at tkte.ch> wrote:

> Hello All,
>
> *As the member list continues to grow so does our attack surface. Now is a
> good time to enable enforced 2-fa for the organization
> <https://help.github.com/articles/requiring-two-factor-authentication-in-your-organization/>
> (100% of owners currently have 2fa! Woo!)*
>
> *From a security perspective:*
>
> Having steering group members as regular organization members is not an
> issue, or even ckan/ckan admins, but adding all of them as full
> organization owners seems excessive. A compromised owner account can do
> anything, including deleting the entire organization. Do they really need
> this level of access?
>
> *My personal opinion:*
>
> Up until now there has been a very clear line between the steering group
> (advisory body of *stakeholders*) and the technical team. This change
> removes that line completely. If the SG member or their company is
> commercially motivated to make a change the technical team disagreed with
> it is now entirely within their power to force it through. They can now add
> and remove people at will, including members of the technical team. They no
> longer *need* to go through the technical team.
>
> To be clear, I do not think any current member of the SG would ever do
> something like this. However setting the precedent of all SG members being
> org owners does not seem like a good path to take. The steering group's
> role in governance should remain an advisory body of stakeholders,
> explicitly representing commercial interests in the CKAN project, and
> require consent of the technical team to make organization changes.
>
> Thank you,
> Tyler Kennedy
>
> On Mon, Jan 21, 2019 at 4:09 AM Paul Walsh <paul.walsh at okfn.org> wrote:
>
>> Hi David,
>>
>> Yes, sure:
>>
>> the request is about governance for sure, which is a very important issue
>> for me in general, and also in relation to CKAN. As part of getting access
>> to some other data (the Google Sheets behind the census as Steven
>> mentioned), I also checked access to GitHub and saw that (a) there are a
>> lot of people on the CKAN organisation that I didn't know at what level
>> they have access, and that (b) several SG members had no access (including
>> myself, currently on the steering group representing OKI). I did not in any
>> way think this could be seen as inappropriate, either from the point of
>> view of the Association (as the Steering Group is part of the governance
>> mechanism),
>>
>>
>>
>>
>> On Fri, 18 Jan 2019 at 18:46, David Read <david.read at hackneyworkshop.com>
>> wrote:
>>
>>> Paul,
>>>
>>> This change goes to the heart of ownership and governance of this open
>>> project. For full clarity Paul, would you mind answering some further
>>> questions?
>>>
>>> 1. Has the CKAN Steering Board agreed this action or is this an
>>> individual request?
>>>
>>
>> I requested it while I was chasing up another request for another
>> Steering Group member (as detailed in Steven's response). When I found I
>> could not access these resources (even thought they are in the okfn Google
>> Drive), I also checked what else around CKAN I could or could not access. I
>> saw I had no membership on the CKAN organisation on GitHub at all, I asked
>> Adria if he could add me and others that were missing.
>>
>>
>>> 2. What is the reason?
>>>
>>
>> As the Steering Group oversees the project governance, it does not seem
>> controversial that Steering Group members would have access to the
>> organisation on github.
>>
>>
>>> 3. Are members of the Steering Board now going to make tech changes
>>> without the tech team first approving?
>>>
>>
>> No. But why would access lead to that conclusion?
>>
>> Best,
>>
>> Paul
>>
>>
>>
>>>
>>> Regards,
>>> David
>>>
>>>
>>>
>>> David
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "CKAN Association Steering Group" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ckan-steering-group+unsubscribe at googlegroups.com.
>>> To post to this group, send an email to
>>> ckan-steering-group at googlegroups.com.
>>> To view this discussion on the web, visit
>>> https://groups.google.com/d/msgid/ckan-steering-group/CAOY41VU_CEFDUg1crL5uEHyn%3DYrr-6aioxgC7v7UpFYRGqcsEg%40mail.gmail.com
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> _______________________________________________
>> ckan-committers mailing list
>> ckan-committers at lists.okfn.org
>> https://lists.okfn.org/mailman/listinfo/ckan-committers
>>
> --
> You received this message because you are subscribed to the Google Groups
> "CKAN Association Steering Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ckan-steering-group+unsubscribe at googlegroups.com.
> To post to this group, send email to ckan-steering-group at googlegroups.com.
> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/ckan-steering-group/CAME5%3DWqYV%3DE5s-MfXLjdKisb_1xh40Qk5v8CXE2w3KKyHCEuqA%40mail.gmail.com
> <https://groups.google.com/d/msgid/ckan-steering-group/CAME5%3DWqYV%3DE5s-MfXLjdKisb_1xh40Qk5v8CXE2w3KKyHCEuqA%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ckan-committers/attachments/20190121/22df3715/attachment-0002.html>