#nubisprojectgithubuserpolicy - nubisproject github organization has no user management policy #76
Comments
|
@RichardWeiss can we have this in the policy/process? Note: Ideally, I would think something like the MOC should handle user administration (separation of duties), albeit with a documented policy the risk will be reduced accordingly. |
|
From: http://nubis-docs.readthedocs.org/en/latest/CONTRIBUTING/ Commiters Each repository has a Commiter Team, whose members are allowed to merge pull-requests into the repository. Note: It's bad practice to merge your own pull-requests, as that defeats the review process. Adding/Removing a member to that Team is the result of a majority vote among existing members. (Comitter Agreement and Agreement to follow establish processes, etc) Each Team also has an appointed Technical Lead that holds a tie-breaking vote on that repository. Commit access is a privilege, not a right. It's is earned by one's contributions and the quality of the work produced. It's all about the quality and health of the project, nothing less, nothing more. |
|
@gozer thanks it looks good! Basically that means there's a record of whom can merge. Link to a github generated list is obviously easier/nicer since then you don't need to edit the documentation when you add/remove people @marianpiper (notification of changed risk level for related bug/risk: nubisproject/nubis-ci#104 #codepeerreview) |
|
We can now see the list of people on https://github.com/orgs/Nubisproject/people |
tinnightcap
changed the title
|
turns out there's more people i just cant see them because their relation with the project is set to private |
|
Here's the full list |
|
@gozer how can we/you reliably audit the list? (or ideally, tooling to do this automatically would be good) |
|
Github has a pretty rich API, and looks like what you need is possible as documented here: |
|
@gozer i do not have the permissions to run these queries on your org actually :( Additionally, if we (as in infosec) are to code and enforce the management of the github organization, we should def. check-in with @jeffbryner and see how we can schedule that :) |
|
@cshields @RichardWeiss can you answer the question from Sept 23 about policy/process/arch? |
|
This is a Medium risk and will be addressed within the committed time frame. In the meantime, the current policy is documented here, per @gozer 's previous comments: http://nubis-docs.readthedocs.org/en/latest/CONTRIBUTING/ |
|
"Adding/Removing a member to that Team is the result of a majority vote among existing members." <--is this what you are referring to? |
|
hrm yeah that's not going to be sufficient. We will work on an improved policy. |
|
@tinnightcap & @RichardWeiss will collaborate on a process utilizing ServiceNow to cauterize the existing process with the addition of management check-box approval and accounting. |
|
The main example that we think of when it comes to user management and the main area in which Mozilla typically fails is when a Mozillian leaves the company. Having the authoritative list of users with commit rights in nubis-project be stored in Service Now and a workflow requiring manager approval to be added to that list will be good for preventing the unauthorized addition of users to nubis-project (assuming that a process by which JD and gozer only add approved users in service now). The challenge will be when an approved user leaves the company, there will need to be something that triggers the removal of that user from nubis-project. JD suggested adding it as a manual step in @cshields document of manual steps to go through when someone in IT leaves Mozilla. |
|
Please add the planned process described here when you have it. |
From Risk Record
nubisproject github organization has no user management policy
Recommendation:
Build a github user management policy and tooling.
Nubis team mitigation
Only JD and Gozer will have access today
The text was updated successfully, but these errors were encountered: