[Github] jenkins-infra alumni team

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[Github] jenkins-infra alumni team

Olivier Vernin
Hi Everybody,

I am currently collecting feedback about the best way to manage user access to the Jenkins-infra GitHub organization and more specifically for people who don't contribute anymore (whatever the reason).

I recently review user permissions on the Github Jenkins infrastructure organization and we have 53 people with different kinds of permission. A lot of them stepped back or just don't actively contribute anymore.
This brings unneeded risk to the Github organization as they have change permissions even though a lot of them don't need those permissions anymore. Differently said, It doesn't make sense to take the risk that a compromised account introduces changes in our git repositories if that account doesn't need privileged access anymore.

So I am proposing to create a new "team" named alumni which would have read-only permissions on every public repository.
This would bring the following benefits

  1. We would still be able to assign individual alumni group member PR or Issues as knowledge experts.
  2. Alumni team members will have the "jenkins-infra" badge on their GitHub user profile as a way to highlight their past contribution.
  3. If for some reason a malicious user get access to one of the alumni account, that attacker won't be able to merge PR which reduces the risk on the GitHub organization.
  4. Of course, once a contributor get more active, we can still remove him from alumni group and grant him more permission
Any thoughts?
Without any feedback, I'll wait one week, starting from this email, before implementing my plan.

Cheers,

Olivier

--
  Olblak



--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/946e9c82-73ce-4365-bd14-0cc17d2c4d69%40www.fastmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Github] jenkins-infra alumni team

Arnaud Héritier
+1

On Thu, Mar 25, 2021 at 10:55 AM Olblak <[hidden email]> wrote:
Hi Everybody,

I am currently collecting feedback about the best way to manage user access to the Jenkins-infra GitHub organization and more specifically for people who don't contribute anymore (whatever the reason).

I recently review user permissions on the Github Jenkins infrastructure organization and we have 53 people with different kinds of permission. A lot of them stepped back or just don't actively contribute anymore.
This brings unneeded risk to the Github organization as they have change permissions even though a lot of them don't need those permissions anymore. Differently said, It doesn't make sense to take the risk that a compromised account introduces changes in our git repositories if that account doesn't need privileged access anymore.

So I am proposing to create a new "team" named alumni which would have read-only permissions on every public repository.
This would bring the following benefits

  1. We would still be able to assign individual alumni group member PR or Issues as knowledge experts.
  2. Alumni team members will have the "jenkins-infra" badge on their GitHub user profile as a way to highlight their past contribution.
  3. If for some reason a malicious user get access to one of the alumni account, that attacker won't be able to merge PR which reduces the risk on the GitHub organization.
  4. Of course, once a contributor get more active, we can still remove him from alumni group and grant him more permission
Any thoughts?
Without any feedback, I'll wait one week, starting from this email, before implementing my plan.

Cheers,

Olivier

--
  Olblak



--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/946e9c82-73ce-4365-bd14-0cc17d2c4d69%40www.fastmail.com.


--
Arnaud Héritier
Twitter/Skype : aheritier

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFNCU--n%3Dzf3EDPC1j68n95wXYLu4Je_YCYfs3CUo%3DpQTnUz5g%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: [jenkins-infra] [Github] jenkins-infra alumni team

Oleg Nenashev
In reply to this post by Olivier Vernin
+1. I suggest we do the same for the jenkinsci organization.
We have quite a number of core maintainers who have stepped down. They are still the org members, but having a team for these contributors would be helpful.

On Thu, Mar 25, 2021 at 11:15 AM Carlos Tadeu Panato Jr <[hidden email]> wrote:
+1

Em qui., 25 de mar. de 2021 às 10:55, Olblak <[hidden email]> escreveu:
Hi Everybody,

I am currently collecting feedback about the best way to manage user access to the Jenkins-infra GitHub organization and more specifically for people who don't contribute anymore (whatever the reason).

I recently review user permissions on the Github Jenkins infrastructure organization and we have 53 people with different kinds of permission. A lot of them stepped back or just don't actively contribute anymore.
This brings unneeded risk to the Github organization as they have change permissions even though a lot of them don't need those permissions anymore. Differently said, It doesn't make sense to take the risk that a compromised account introduces changes in our git repositories if that account doesn't need privileged access anymore.

So I am proposing to create a new "team" named alumni which would have read-only permissions on every public repository.
This would bring the following benefits

  1. We would still be able to assign individual alumni group member PR or Issues as knowledge experts.
  2. Alumni team members will have the "jenkins-infra" badge on their GitHub user profile as a way to highlight their past contribution.
  3. If for some reason a malicious user get access to one of the alumni account, that attacker won't be able to merge PR which reduces the risk on the GitHub organization.
  4. Of course, once a contributor get more active, we can still remove him from alumni group and grant him more permission
Any thoughts?
Without any feedback, I'll wait one week, starting from this email, before implementing my plan.

Cheers,

Olivier

--
  Olblak



--
You received this message because you are subscribed to the Google Groups "Jenkins Infrastructure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web, visit https://groups.google.com/d/msgid/jenkins-infra/946e9c82-73ce-4365-bd14-0cc17d2c4d69%40www.fastmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Infrastructure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web, visit https://groups.google.com/d/msgid/jenkins-infra/CAOxYG4z%3D1%3D%2BA32RN41mUR2xDnGX3NANp%2B%2BmvX%2BNS2_1KdnkShQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAPfivLCFk3F2SjOug9QgdCuL9hOugEO8Q4173ATfJ47Uvg%3D2Vw%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Github] jenkins-infra alumni team

Mark Waite-2
In reply to this post by Olivier Vernin
+1 from me.

On Thursday, March 25, 2021 at 3:55:16 AM UTC-6 Olblak wrote:
Hi Everybody,

I am currently collecting feedback about the best way to manage user access to the Jenkins-infra GitHub organization and more specifically for people who don't contribute anymore (whatever the reason).

I recently review user permissions on the Github Jenkins infrastructure organization and we have 53 people with different kinds of permission. A lot of them stepped back or just don't actively contribute anymore.
This brings unneeded risk to the Github organization as they have change permissions even though a lot of them don't need those permissions anymore. Differently said, It doesn't make sense to take the risk that a compromised account introduces changes in our git repositories if that account doesn't need privileged access anymore.

So I am proposing to create a new "team" named alumni which would have read-only permissions on every public repository.
This would bring the following benefits

  1. We would still be able to assign individual alumni group member PR or Issues as knowledge experts.
  2. Alumni team members will have the "jenkins-infra" badge on their GitHub user profile as a way to highlight their past contribution.
  3. If for some reason a malicious user get access to one of the alumni account, that attacker won't be able to merge PR which reduces the risk on the GitHub organization.
  4. Of course, once a contributor get more active, we can still remove him from alumni group and grant him more permission
Any thoughts?
Without any feedback, I'll wait one week, starting from this email, before implementing my plan.

Cheers,

Olivier

--
  Olblak



--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7719a88f-ee56-465a-a44e-67867c473cb2n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Github] jenkins-infra alumni team

Xiaojie Zhao
+1 from me



On 03/26/2021 00:16[hidden email] wrote:
+1 from me.

On Thursday, March 25, 2021 at 3:55:16 AM UTC-6 Olblak wrote:
Hi Everybody,

I am currently collecting feedback about the best way to manage user access to the Jenkins-infra GitHub organization and more specifically for people who don't contribute anymore (whatever the reason).

I recently review user permissions on the Github Jenkins infrastructure organization and we have 53 people with different kinds of permission. A lot of them stepped back or just don't actively contribute anymore.
This brings unneeded risk to the Github organization as they have change permissions even though a lot of them don't need those permissions anymore. Differently said, It doesn't make sense to take the risk that a compromised account introduces changes in our git repositories if that account doesn't need privileged access anymore.

So I am proposing to create a new "team" named alumni which would have read-only permissions on every public repository.
This would bring the following benefits

  1. We would still be able to assign individual alumni group member PR or Issues as knowledge experts.
  2. Alumni team members will have the "jenkins-infra" badge on their GitHub user profile as a way to highlight their past contribution.
  3. If for some reason a malicious user get access to one of the alumni account, that attacker won't be able to merge PR which reduces the risk on the GitHub organization.
  4. Of course, once a contributor get more active, we can still remove him from alumni group and grant him more permission
Any thoughts?
Without any feedback, I'll wait one week, starting from this email, before implementing my plan.

Cheers,

Olivier

--
  Olblak



--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7719a88f-ee56-465a-a44e-67867c473cb2n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7faf2c04.2688.1786c140815.Coremail.zxjlwt%40126.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Github] jenkins-infra alumni team

YanJun Shi
+1 from me

On Fri, Mar 26, 2021 at 9:11 AM Rick <[hidden email]> wrote:
+1 from me



On 03/26/2021 00:16[hidden email] wrote:
+1 from me.

On Thursday, March 25, 2021 at 3:55:16 AM UTC-6 Olblak wrote:
Hi Everybody,

I am currently collecting feedback about the best way to manage user access to the Jenkins-infra GitHub organization and more specifically for people who don't contribute anymore (whatever the reason).

I recently review user permissions on the Github Jenkins infrastructure organization and we have 53 people with different kinds of permission. A lot of them stepped back or just don't actively contribute anymore.
This brings unneeded risk to the Github organization as they have change permissions even though a lot of them don't need those permissions anymore. Differently said, It doesn't make sense to take the risk that a compromised account introduces changes in our git repositories if that account doesn't need privileged access anymore.

So I am proposing to create a new "team" named alumni which would have read-only permissions on every public repository.
This would bring the following benefits

  1. We would still be able to assign individual alumni group member PR or Issues as knowledge experts.
  2. Alumni team members will have the "jenkins-infra" badge on their GitHub user profile as a way to highlight their past contribution.
  3. If for some reason a malicious user get access to one of the alumni account, that attacker won't be able to merge PR which reduces the risk on the GitHub organization.
  4. Of course, once a contributor get more active, we can still remove him from alumni group and grant him more permission
Any thoughts?
Without any feedback, I'll wait one week, starting from this email, before implementing my plan.

Cheers,

Olivier

--
  Olblak



--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7719a88f-ee56-465a-a44e-67867c473cb2n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7faf2c04.2688.1786c140815.Coremail.zxjlwt%40126.com.


--
Shi Yanjun(yJunS)

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CALfBRDqV%3Dn36NFAZn89iPPryiLY5jnMp_e9ZPjPhhAhUUee2Eg%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Github] jenkins-infra alumni team

Oleg Nenashev
I went ahead and created a team in the jenkinsci org https://github.com/orgs/jenkinsci/teams/alumni 
I will move some of the known inactive contributors there.

On Sunday, March 28, 2021 at 3:13:43 PM UTC+2 [hidden email] wrote:
+1 from me

On Fri, Mar 26, 2021 at 9:11 AM Rick <[hidden email]> wrote:
+1 from me



On 03/26/2021 00:16Mark Waite<[hidden email]> wrote:
+1 from me.

On Thursday, March 25, 2021 at 3:55:16 AM UTC-6 Olblak wrote:
Hi Everybody,

I am currently collecting feedback about the best way to manage user access to the Jenkins-infra GitHub organization and more specifically for people who don't contribute anymore (whatever the reason).

I recently review user permissions on the Github Jenkins infrastructure organization and we have 53 people with different kinds of permission. A lot of them stepped back or just don't actively contribute anymore.
This brings unneeded risk to the Github organization as they have change permissions even though a lot of them don't need those permissions anymore. Differently said, It doesn't make sense to take the risk that a compromised account introduces changes in our git repositories if that account doesn't need privileged access anymore.

So I am proposing to create a new "team" named alumni which would have read-only permissions on every public repository.
This would bring the following benefits

  1. We would still be able to assign individual alumni group member PR or Issues as knowledge experts.
  2. Alumni team members will have the "jenkins-infra" badge on their GitHub user profile as a way to highlight their past contribution.
  3. If for some reason a malicious user get access to one of the alumni account, that attacker won't be able to merge PR which reduces the risk on the GitHub organization.
  4. Of course, once a contributor get more active, we can still remove him from alumni group and grant him more permission
Any thoughts?
Without any feedback, I'll wait one week, starting from this email, before implementing my plan.

Cheers,

Olivier

--
  Olblak



--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7719a88f-ee56-465a-a44e-67867c473cb2n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
Shi Yanjun(yJunS)

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/50aa7676-2e97-48a4-9f6c-cbb968e077d6n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Github] jenkins-infra alumni team

Olblak-2
Thanks everybody for your feedback, I'll create that team and start moving people there

On Mon, Mar 29, 2021, at 2:15 PM, Oleg Nenashev wrote:
I went ahead and created a team in the jenkinsci org https://github.com/orgs/jenkinsci/teams/alumni 
I will move some of the known inactive contributors there.
On Sunday, March 28, 2021 at 3:13:43 PM UTC+2 [hidden email] wrote:
+1 from me


On Fri, Mar 26, 2021 at 9:11 AM Rick <[hidden email]> wrote:

+1 from me





On 03/26/2021 00:16Mark Waite<[hidden email]> wrote:
+1 from me.

On Thursday, March 25, 2021 at 3:55:16 AM UTC-6 Olblak wrote:

Hi Everybody,

I am currently collecting feedback about the best way to manage user access to the Jenkins-infra GitHub organization and more specifically for people who don't contribute anymore (whatever the reason).

I recently review user permissions on the Github Jenkins infrastructure organization and we have 53 people with different kinds of permission. A lot of them stepped back or just don't actively contribute anymore.
This brings unneeded risk to the Github organization as they have change permissions even though a lot of them don't need those permissions anymore. Differently said, It doesn't make sense to take the risk that a compromised account introduces changes in our git repositories if that account doesn't need privileged access anymore.

So I am proposing to create a new "team" named alumni which would have read-only permissions on every public repository.
This would bring the following benefits

  1. We would still be able to assign individual alumni group member PR or Issues as knowledge experts.
  2. Alumni team members will have the "jenkins-infra" badge on their GitHub user profile as a way to highlight their past contribution.
  3. If for some reason a malicious user get access to one of the alumni account, that attacker won't be able to merge PR which reduces the risk on the GitHub organization.
  4. Of course, once a contributor get more active, we can still remove him from alumni group and grant him more permission
Any thoughts?
Without any feedback, I'll wait one week, starting from this email, before implementing my plan.

Cheers,

Olivier

--
  Olblak




--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
Shi Yanjun(yJunS)


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/a7fa95f1-217e-464c-bd27-c4e93860f428%40www.fastmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: [Github] jenkins-infra alumni team

Olblak-2
Hi Everybody,
I made few changes to the Jenkins-infra GitHub organization.

**jenkins-infra/alumni**
I created the alumni team here, feel free to reach out if I put the wrong person there and I'll revert it or if I am missing someone.

**Repository permission**
Several teams had "admin" permission and I switched that to "maintain"

I started reviewing team repository permission and while I made few changes, I still have pending work but feel free to suggest teams that should or should not have a specific repository access

Cheers


On Mon, Mar 29, 2021, at 3:12 PM, 'Olblak' via Jenkins Developers wrote:
Thanks everybody for your feedback, I'll create that team and start moving people there

On Mon, Mar 29, 2021, at 2:15 PM, Oleg Nenashev wrote:
I went ahead and created a team in the jenkinsci org https://github.com/orgs/jenkinsci/teams/alumni 
I will move some of the known inactive contributors there.
On Sunday, March 28, 2021 at 3:13:43 PM UTC+2 [hidden email] wrote:
+1 from me


On Fri, Mar 26, 2021 at 9:11 AM Rick <[hidden email]> wrote:

+1 from me





On 03/26/2021 00:16Mark Waite<[hidden email]> wrote:
+1 from me.

On Thursday, March 25, 2021 at 3:55:16 AM UTC-6 Olblak wrote:

Hi Everybody,

I am currently collecting feedback about the best way to manage user access to the Jenkins-infra GitHub organization and more specifically for people who don't contribute anymore (whatever the reason).

I recently review user permissions on the Github Jenkins infrastructure organization and we have 53 people with different kinds of permission. A lot of them stepped back or just don't actively contribute anymore.
This brings unneeded risk to the Github organization as they have change permissions even though a lot of them don't need those permissions anymore. Differently said, It doesn't make sense to take the risk that a compromised account introduces changes in our git repositories if that account doesn't need privileged access anymore.

So I am proposing to create a new "team" named alumni which would have read-only permissions on every public repository.
This would bring the following benefits

  1. We would still be able to assign individual alumni group member PR or Issues as knowledge experts.
  2. Alumni team members will have the "jenkins-infra" badge on their GitHub user profile as a way to highlight their past contribution.
  3. If for some reason a malicious user get access to one of the alumni account, that attacker won't be able to merge PR which reduces the risk on the GitHub organization.
  4. Of course, once a contributor get more active, we can still remove him from alumni group and grant him more permission
Any thoughts?
Without any feedback, I'll wait one week, starting from this email, before implementing my plan.

Cheers,

Olivier

--
  Olblak




--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
Shi Yanjun(yJunS)


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].


--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/8704d2a2-b742-4433-9f42-23b571f74c99%40www.fastmail.com.