[ckan-committers] SG members in GitHub org
Adrià Mercader
adria.mercader at okfn.org
Thu Jan 24 10:03:20 UTC 2019
Hi all,
First of all thanks David, Tyler, Steven and Paul for the feedback. Second,
please apologies from my side for having made the change without consulting
the rest of the team, it is obvious now that this action required previous
discussion.
After discussion, I'm going to:
* Turn SG members on the Github org to members
* Remove any person that is no longer involved in current CKAN work, ie not
members of a team (I'll send an email to the mailing list in case someone
loses needed permissions)
Going forward permissions will be given as needed, if possible using the
teams feature to restrict them to the repos needed.
Thanks all and again apologies.
Best,
Adrià
On Tue, 22 Jan 2019 at 10:54, David Read <david.read at hackneyworkshop.com>
wrote:
> Paul,
>
> Thanks for understanding - 'member' makes more sense to me.
>
> Regards,
> David
>
> On Mon, 21 Jan 2019 at 18:33, Paul Walsh <paul.walsh at okfn.org> wrote:
> >
> > Hey Tyler,
> >
> > TL;DR: happy to be devolved to member, would be good to know that the
> Technical Team also does a review of access in general.
> >
> >
> > On security I agree with you completely.
> >
> > No, I, or "we" do not need the ability to delete the entire organisation.
> >
> > I do not at all mind being a devolved to a Member, especially if the
> Technical Team sees access to the organisation and changes to code without
> going via the Team as part of the attack surface for CKAN. I have not
> thought about access as such a high threat on decentralised code
> repositories in this way from other open source projects I participate in,
> but if this is part of the threat model for the Technical Team, I am 100%
> behind it.
> >
> > Following, it might then be good for the Technical Team to review who
> has access to what across the CKAN organisation on GitHub. From a random
> sample now, I see that a bunch of people have Admin access on mapviews who
> have either left the CKAN community or never contributed code, and likewise
> people who have left their CKAN-related roles with Admin access on
> important repos. I would not have noticed that without being an Owner,
> which kind of gets back to the original issue that led me to ask Adria to
> add myself and others (who has access to what).
> >
> > Thanks for letting us know your concerns, David and Tyler - I've tried
> to take them onboard. Let me, or the SG, know if anything is still
> unresolved with this issue.
> >
> > Best,
> >
> > Paul
> >
> > On Mon, 21 Jan 2019 at 19:46, Tyler Kennedy <tk at tkte.ch> wrote:
> >>
> >> Hello All,
> >>
> >> As the member list continues to grow so does our attack surface. Now is
> a good time to enable enforced 2-fa for the organization (100% of owners
> currently have 2fa! Woo!)
> >>
> >> From a security perspective:
> >>
> >> Having steering group members as regular organization members is not an
> issue, or even ckan/ckan admins, but adding all of them as full
> organization owners seems excessive. A compromised owner account can do
> anything, including deleting the entire organization. Do they really need
> this level of access?
> >>
> >> My personal opinion:
> >>
> >> Up until now there has been a very clear line between the steering
> group (advisory body of stakeholders) and the technical team. This change
> removes that line completely. If the SG member or their company is
> commercially motivated to make a change the technical team disagreed with
> it is now entirely within their power to force it through. They can now add
> and remove people at will, including members of the technical team. They no
> longer need to go through the technical team.
> >>
> >> To be clear, I do not think any current member of the SG would ever do
> something like this. However setting the precedent of all SG members being
> org owners does not seem like a good path to take. The steering group's
> role in governance should remain an advisory body of stakeholders,
> explicitly representing commercial interests in the CKAN project, and
> require consent of the technical team to make organization changes.
> >>
> >> Thank you,
> >> Tyler Kennedy
> >>
> >> On Mon, Jan 21, 2019 at 4:09 AM Paul Walsh <paul.walsh at okfn.org> wrote:
> >>>
> >>> Hi David,
> >>>
> >>> Yes, sure:
> >>>
> >>> the request is about governance for sure, which is a very important
> issue for me in general, and also in relation to CKAN. As part of getting
> access to some other data (the Google Sheets behind the census as Steven
> mentioned), I also checked access to GitHub and saw that (a) there are a
> lot of people on the CKAN organisation that I didn't know at what level
> they have access, and that (b) several SG members had no access (including
> myself, currently on the steering group representing OKI). I did not in any
> way think this could be seen as inappropriate, either from the point of
> view of the Association (as the Steering Group is part of the governance
> mechanism),
> >>>
> >>>
> >>>
> >>>
> >>> On Fri, 18 Jan 2019 at 18:46, David Read <
> david.read at hackneyworkshop.com> wrote:
> >>>>
> >>>> Paul,
> >>>>
> >>>> This change goes to the heart of ownership and governance of this open
> >>>> project. For full clarity Paul, would you mind answering some further
> >>>> questions?
> >>>>
> >>>> 1. Has the CKAN Steering Board agreed this action or is this an
> >>>> individual request?
> >>>
> >>>
> >>> I requested it while I was chasing up another request for another
> Steering Group member (as detailed in Steven's response). When I found I
> could not access these resources (even thought they are in the okfn Google
> Drive), I also checked what else around CKAN I could or could not access. I
> saw I had no membership on the CKAN organisation on GitHub at all, I asked
> Adria if he could add me and others that were missing.
> >>>
> >>>>
> >>>> 2. What is the reason?
> >>>
> >>>
> >>> As the Steering Group oversees the project governance, it does not
> seem controversial that Steering Group members would have access to the
> organisation on github.
> >>>
> >>>>
> >>>> 3. Are members of the Steering Board now going to make tech changes
> >>>> without the tech team first approving?
> >>>
> >>>
> >>> No. But why would access lead to that conclusion?
> >>>
> >>> Best,
> >>>
> >>> Paul
> >>>
> >>>
> >>>>
> >>>>
> >>>> Regards,
> >>>> David
> >>>>
> >>>>
> >>>>
> >>>> David
> >>>>
> >>>> --
> >>>> You received this message because you are subscribed to the Google
> Groups "CKAN Association Steering Group" group.
> >>>> To unsubscribe from this group and stop receiving emails from it,
> send an email to ckan-steering-group+unsubscribe at googlegroups.com.
> >>>> To post to this group, send an email to
> ckan-steering-group at googlegroups.com.
> >>>> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/ckan-steering-group/CAOY41VU_CEFDUg1crL5uEHyn%3DYrr-6aioxgC7v7UpFYRGqcsEg%40mail.gmail.com
> .
> >>>> For more options, visit https://groups.google.com/d/optout.
> >>>
> >>> _______________________________________________
> >>> ckan-committers mailing list
> >>> ckan-committers at lists.okfn.org
> >>> https://lists.okfn.org/mailman/listinfo/ckan-committers
> >>
> >> --
> >> You received this message because you are subscribed to the Google
> Groups "CKAN Association Steering Group" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an email to ckan-steering-group+unsubscribe at googlegroups.com.
> >> To post to this group, send email to
> ckan-steering-group at googlegroups.com.
> >> To view this discussion on the web, visit
> https://groups.google.com/d/msgid/ckan-steering-group/CAME5%3DWqYV%3DE5s-MfXLjdKisb_1xh40Qk5v8CXE2w3KKyHCEuqA%40mail.gmail.com
> .
> >> For more options, visit https://groups.google.com/d/optout.
> >
> > _______________________________________________
> > ckan-committers mailing list
> > ckan-committers at lists.okfn.org
> > https://lists.okfn.org/mailman/listinfo/ckan-committers
> _______________________________________________
> ckan-committers mailing list
> ckan-committers at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-committers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ckan-committers/attachments/20190124/6ec94770/attachment-0002.html>
More information about the ckan-committers
mailing list