[ckan-committers] SG members in GitHub org

Tue Jan 22 09:43:52 UTC 2019

Paul,

Thanks for understanding - 'member' makes more sense to me.

Regards,
David

On Mon, 21 Jan 2019 at 18:33, Paul Walsh <paul.walsh at okfn.org> wrote:
>
> Hey Tyler,
>
> TL;DR: happy to be devolved to member, would be good to know that the Technical Team also does a review of access in general.
>
>
> On security I agree with you completely.
>
> No, I, or "we" do not need the ability to delete the entire organisation.
>
> I do not at all mind being a devolved to a Member, especially if the Technical Team sees access to the organisation and changes to code without going via the Team as part of the attack surface for CKAN. I have not thought about access as such a high threat on decentralised code repositories in this way from other open source projects I participate in, but if this is part of the threat model for the Technical Team, I am 100% behind it.
>
> Following, it might then be good for the Technical Team to review who has access to what across the CKAN organisation on GitHub. From a random sample now, I see that a bunch of people have Admin access on mapviews who have either left the CKAN community or never contributed code, and likewise people who have left their CKAN-related roles with Admin access on important repos. I would not have noticed that without being an Owner, which kind of gets back to the original issue that led me to ask Adria to add myself and others (who has access to what).
>
> Thanks for letting us know your concerns, David and Tyler - I've tried to take them onboard. Let me, or the SG, know if anything is still unresolved with this issue.
>
> Best,
>
> Paul
>
> On Mon, 21 Jan 2019 at 19:46, Tyler Kennedy <tk at tkte.ch> wrote:
>>
>> Hello All,
>>
>> As the member list continues to grow so does our attack surface. Now is a good time to enable enforced 2-fa for the organization (100% of owners currently have 2fa! Woo!)
>>
>> From a security perspective:
>>
>> Having steering group members as regular organization members is not an issue, or even ckan/ckan admins, but adding all of them as full organization owners seems excessive. A compromised owner account can do anything, including deleting the entire organization. Do they really need this level of access?
>>
>> My personal opinion:
>>
>> Up until now there has been a very clear line between the steering group (advisory body of stakeholders) and the technical team. This change removes that line completely. If the SG member or their company is commercially motivated to make a change the technical team disagreed with it is now entirely within their power to force it through. They can now add and remove people at will, including members of the technical team. They no longer need to go through the technical team.
>>
>> To be clear, I do not think any current member of the SG would ever do something like this. However setting the precedent of all SG members being org owners does not seem like a good path to take. The steering group's role in governance should remain an advisory body of stakeholders, explicitly representing commercial interests in the CKAN project, and require consent of the technical team to make organization changes.
>>
>> Thank you,
>> Tyler Kennedy
>>
>> On Mon, Jan 21, 2019 at 4:09 AM Paul Walsh <paul.walsh at okfn.org> wrote:
>>>
>>> Hi David,
>>>
>>> Yes, sure:
>>>
>>> the request is about governance for sure, which is a very important issue for me in general, and also in relation to CKAN. As part of getting access to some other data (the Google Sheets behind the census as Steven mentioned), I also checked access to GitHub and saw that (a) there are a lot of people on the CKAN organisation that I didn't know at what level they have access, and that (b) several SG members had no access (including myself, currently on the steering group representing OKI). I did not in any way think this could be seen as inappropriate, either from the point of view of the Association (as the Steering Group is part of the governance mechanism),
>>>
>>>
>>>
>>>
>>> On Fri, 18 Jan 2019 at 18:46, David Read <david.read at hackneyworkshop.com> wrote:
>>>>
>>>> Paul,
>>>>
>>>> This change goes to the heart of ownership and governance of this open
>>>> project. For full clarity Paul, would you mind answering some further
>>>> questions?
>>>>
>>>> 1. Has the CKAN Steering Board agreed this action or is this an
>>>> individual request?
>>>
>>>
>>> I requested it while I was chasing up another request for another Steering Group member (as detailed in Steven's response). When I found I could not access these resources (even thought they are in the okfn Google Drive), I also checked what else around CKAN I could or could not access. I saw I had no membership on the CKAN organisation on GitHub at all, I asked Adria if he could add me and others that were missing.
>>>
>>>>
>>>> 2. What is the reason?
>>>
>>>
>>> As the Steering Group oversees the project governance, it does not seem controversial that Steering Group members would have access to the organisation on github.
>>>
>>>>
>>>> 3. Are members of the Steering Board now going to make tech changes
>>>> without the tech team first approving?
>>>
>>>
>>> No. But why would access lead to that conclusion?
>>>
>>> Best,
>>>
>>> Paul
>>>
>>>
>>>>
>>>>
>>>> Regards,
>>>> David
>>>>
>>>>
>>>>
>>>> David
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google Groups "CKAN Association Steering Group" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send an email to ckan-steering-group+unsubscribe at googlegroups.com.
>>>> To post to this group, send an email to ckan-steering-group at googlegroups.com.
>>>> To view this discussion on the web, visit https://groups.google.com/d/msgid/ckan-steering-group/CAOY41VU_CEFDUg1crL5uEHyn%3DYrr-6aioxgC7v7UpFYRGqcsEg%40mail.gmail.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>> _______________________________________________
>>> ckan-committers mailing list
>>> ckan-committers at lists.okfn.org
>>> https://lists.okfn.org/mailman/listinfo/ckan-committers
>>
>> --
>> You received this message because you are subscribed to the Google Groups "CKAN Association Steering Group" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to ckan-steering-group+unsubscribe at googlegroups.com.
>> To post to this group, send email to ckan-steering-group at googlegroups.com.
>> To view this discussion on the web, visit https://groups.google.com/d/msgid/ckan-steering-group/CAME5%3DWqYV%3DE5s-MfXLjdKisb_1xh40Qk5v8CXE2w3KKyHCEuqA%40mail.gmail.com.
>> For more options, visit https://groups.google.com/d/optout.
>
> _______________________________________________
> ckan-committers mailing list
> ckan-committers at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-committers