Hibernate organization membership on GitHub
by Yoann Rodiere
Hello,
As part of the move to Commonhaus, I'm currently going through our GitHub
setup, and I'm noticing we have a lot of users with extensive (and I mean
*extensive*, sometimes admin or even owner) access to our
organization/repositories, but who are no longer regular contributors.
Additionally, we also have organization members on GitHub who are not
technically Hibernate members: they have never actually contributed to
Hibernate, but are there for technical reasons, for example because they're
coworkers who helped out with some infrastructure issue.
While it's fine in principle, because we trust these people, it's very,
very far from security best practices. Account hacking happens, email
addresses get stolen, and the people using these GitHub accounts might one
day be an attacker instead of the person we trust.
According to Commonhaus' automated report, we're currently at 32 people
having admin rights on one Hibernate repository or another. Which I think
we can all agree is much more than necessary.
For that reason, I'd like to propose that:
1. *We create an "Alumni" team in our GitHub organization*, moving to that
team anyone who is actually a member, but hasn't contributed for... let's
say 2 years? Of course this isn't a permanent thing, and we can simply move
alumni back to the relevant team if they become active again.
2. *We move non-members out of our GitHub organization*, or to "external
collaborators" (that's a GitHub feature) if still necessary.
3. *We schedule yearly audits of our GitHub configuration* to review access
rights again in the future, and move people to the Alumni team as necessary.
Note moving people in and out of teams will get them notified, so I would
send another email directly to impacted people before/during the move, to
avoid this being seen as personal/insulting. It's really not.
*Thoughts, opinions, +1s?*
Yoann Rodière
Hibernate team
3 days, 22 hours
New CI machine preview
by Sanne Grinovero
You're all welcome to play with http://54.225.162.168/
however please keep these in mind:
- it's not the final machine: don't put too much effort in creating
nice build scripts as we'll reset it to clean state soon. We *might*
be able to store jobs defined so far, but we might choose not to.
- domain name should be coming: ci.hibernate.org ..not sure when, got
no replies so far from.
- authentication: just click on login, it will use OAuth2 to request
your identity via your GitHub account. Permissions to create new jobs,
edit existing jobs, run a build manually depend on your github account
be part of the Hibernate organization (or not, in which case you have
read only status)
At this stage I'd like to get a feeling if the hardware is powerful
enough, and also we need to select which other plugins we want to use,
I'm looking especially to:
- static analysis reports
- pull requests integration
both are relatively undefined, we can of course start simple and
improve later.. just checking this fits basic needs now.
Sanne
1 week, 5 days
