[Maria-developers] security spring cleaning in MariaDB org on github
Hi, Now when Github has per-user ownership rights and suggests to migrate away from the legacy admin team https://help.github.com/articles/migrating-your-previous-admin-teams-to-the-... we're performing some spring cleaning in this area. The legacy admin team (named "Core") is removed. Most of its members lost admin access to the org. Currently only the MariaDB Foundation CEO and few board members (those, who actually have used admin access recently) retained their admin rights. Everyone who was in the Core team should still have write access to repositories, if you've found that it's not the case, please complain asap. If you think you need admin access, please request it (again). Note that - only members of the organization can have it, being in the Developers group is a plus - 2FA is required for all admins (and highly recommended for all other members) Regards, Sergei Chief Architect MariaDB and security@mariadb.org
Sergei Golubchik <serg@mariadb.org> writes:
If you think you need admin access, please request it (again).
Yes, please restore my access to the repo. I use it regularly, to work with web hooks, see how the repo is setup, etc.
we're performing some spring cleaning in this area.
Who are "we"? I was not included in any discussions, or even made aware that such disucssions were taken place, why not?
lost admin access to the org. Currently only the MariaDB Foundation CEO and few board members (those, who actually have used admin access recently) retained their admin rights.
Board members? So admin access is needed to do technical work with the repo, to give people write access, and (currently) to see the list of members in teams. Neither of these make *any* sense for board members. I mean, if I need to debug a problem with Buildbot not picking up my push, or want to set up a hook to listen for pushes or something, I should ask a *board member* to do it for me? Seriously? I assume you mean that the people with access are yourself Serg, Rasmus, and Otto. Monty is the fourth one? The two of us are probably the ones with the best knowledge of how to manage git and repositories for MariaDB, so you clearly make sense. Otto and Rasmus I assume is so that they can give write access to new employees, but that has nothing to do with Rasmus being a board member. And I doubt Monty does much work on github at all? Of course, the list of people with access is not even public, so one can only guess, not even know who to ask in case of any issues. You have to be a board member to even know who has repo access?
2FA is required for all admins (and highly recommended for all other members)
Sure, I can set that up if you really want. - Kristian.
Hi, Kristian! On Nov 05, Kristian Nielsen wrote:
Sergei Golubchik <serg@mariadb.org> writes:
If you think you need admin access, please request it (again).
Yes, please restore my access to the repo. I use it regularly, to work with web hooks, see how the repo is setup, etc.
I know, I'm a bit paranoid when granting privileges. But hey, I'm security@mariadb.org (and I was security@mysql.com for ~10 years), may be it's a professional deformation :) And owners are much too powerful to be treated lightly https://help.github.com/articles/permission-levels-for-an-organization/ So I'll delegate this decision to Monty and Otto. Or, perhaps we could export the information that you need (web hook configuration and repo configuration) as a read-only view - what do you think about it? As far as I'm concerned, we can export all admin information (minus auth tokens) visible to everyone - there is nothing secret there.
we're performing some spring cleaning in this area.
Who are "we"?
If you're asking who pressed the button, that was Rasmus. He already did the same transition (from the legacy Admin group) for https://github.com/mariadb-corporation/, so he knew how it works. If you're asking whose idea it was to migrate away from the legacy Admin group, it was mine.
I was not included in any discussions, or even made aware that such discussions were taken place, why not?
Because that was a small admin task, something similar is done almost every second day. There are open discussions before any strategic decision, I believe. But not before making minor day-to-day admin choices.
lost admin access to the org. Currently only the MariaDB Foundation CEO and few board members (those, who actually have used admin access recently) retained their admin rights.
Board members?
So admin access is needed to do technical work with the repo, to give people write access, and (currently) to see the list of members in teams.
Neither of these make *any* sense for board members. I mean, if I need to debug a problem with Buildbot not picking up my push, or want to set up a hook to listen for pushes or something, I should ask a *board member* to do it for me? Seriously?
So it happens, that MariaDB Foundation isn't a many-thousand-people multi-national corporation :) And some board members do admin work, and the CEO does Debian packaging. Those who got admin access didn't get it, because they're board members, they got it because they need it to configure https://github.com/mariadb (not only "need", they do actually use it).
I assume you mean that the people with access are yourself Serg, Rasmus, and Otto. Monty is the fourth one? The two of us are probably the ones with the best knowledge of how to manage git and repositories for MariaDB, so you clearly make sense. Otto and Rasmus I assume is so that they can give write access to new employees, but that has nothing to do with Rasmus being a board member. And I doubt Monty does much work on github at all?
Yes, Rasmus, Otto, Monty, and me. I've looked at the audit log of who was using admin access recently. Rasmus uses it regularly - the latest change was creating Jira hooks (you might've noticed that Jira issues now show related commits and pull requests). Otto was recently adding and removing users and configuring Travis-CI hooks. I was setting up permissions for users and debugging buildbot hooks. Monty doesn't do much work on github, he might be adding users, rarely.
Of course, the list of people with access is not even public, so one can only guess, not even know who to ask in case of any issues. You have to be a board member to even know who has repo access?
I hope not, but I really don't know what's visible to whom. I can check how it works, probably create a second account and invite it into mariadb on github as a normal non-privileged member...
2FA is required for all admins (and highly recommended for all other members) Sure, I can set that up if you really want.
Thanks! Regards, Sergei Chief Architect MariaDB and security@mariadb.org
Sergei Golubchik <serg@mariadb.org> writes:
And owners are much too powerful to be treated lightly https://help.github.com/articles/permission-levels-for-an-organization/
Because that was a small admin task, something similar is done almost every second day.
I see. I am sad - and hurt - that you consider my involvement a security risk. I was always heavily involved in maintaining our repositories and other infrastructure, ever since the very start of MariaDB early 2009. If your personal goal is to restrict people's access as much as possible, all I can say is that it is not how I understand open source. But I doubt I would be able to find many allies to contest your point of view. At least your explanation helped me understand my role (or lack of same) in MariaDB.
I hope not, but I really don't know what's visible to whom.
I can check how it works, probably create a second account and invite it into mariadb on github as a normal non-privileged member...
If you hadn't removed my access, I could have told you which settings would need to be changed... Thanks, - Kristian.
Hi, Kristian! On Nov 06, Kristian Nielsen wrote:
I am sad - and hurt - that you consider my involvement a security risk. I was always heavily involved in maintaining our repositories and other infrastructure, ever since the very start of MariaDB early 2009.
Kristian, I consider everyone's involvement a security risk :) I believe that to reduce the "defence perimeter", only admins should have the admin access. But I certainlly trust you to be one of them, so if you'd want have owner access for mariadb org on github, you can have it, I think. That would mean actually using it, making changes as needed, on a regular basis. I'll probably step back then myself, one responsibility less for me :) Four active owners should be enough to maintain mariadb on github. Even three is enough.
If your personal goal is to restrict people's access as much as possible, all I can say is that it is not how I understand open source. But I doubt I would be able to find many allies to contest your point of view.
Not exactly. I've said in an earlier email that I'd rather made all the admin information visible for everyone - there is nothing there that should be hidden (besides authentication tokens, obviously). So I'd prefer it as open as possible - but read-only. World-readable, not world-writable. Regards, Sergei Chief Architect MariaDB and security@mariadb.org
Sergei Golubchik <serg@mariadb.org> writes:
But I certainlly trust you to be one of them, so if you'd want have owner access for mariadb org on github, you can have it, I think. That would mean actually using it, making changes as needed, on a regular basis.
Well, I'm happy to help with managing the repo, of course. Like, you mentioned debugging buildbot hooks, which I am already doing (or was...). Actually, I wanted to clean up unsed branches in the repo, but I'll send out that separately.
Not exactly. I've said in an earlier email that I'd rather made all the admin information visible for everyone - there is nothing there that should be hidden (besides authentication tokens, obviously).
The Admin team itself is not visible. Maybe it's just the "Visible" setting that needs to be set under "Edit Team"? - Kristian.
participants (2)
-
Kristian Nielsen -
Sergei Golubchik