[hibernate-dev] Re: Hibernate organization membership on GitHub

+1 On Wed, Jun 4, 2025 at 7:36 AM Davide D'Alto <daltodavide(a)gmail.com&gt; wrote: > +1 > > On Wed, Jun 4, 2025 at 2:14 PM Sanne Grinovero via hibernate-dev < > hibernate-dev(a)lists.jboss.org&gt; wrote: > > > +1 > > > > > > On Wed, 4 Jun 2025 at 11:32, Yoann Rodiere via hibernate-dev < > > hibernate-dev(a)lists.jboss.org&gt; wrote: > > > > > Hello, > > > > > > As part of the move to Commonhaus, I'm currently going through our > GitHub > > > setup, and I'm noticing we have a lot of users with extensive (and I > mean > > > *extensive*, sometimes admin or even owner) access to our > > > organization/repositories, but who are no longer regular contributors. > > > > > > Additionally, we also have organization members on GitHub who are not > > > technically Hibernate members: they have never actually contributed to > > > Hibernate, but are there for technical reasons, for example because > > they're > > > coworkers who helped out with some infrastructure issue. > > > > > > While it's fine in principle, because we trust these people, it's > very, > > > very far from security best practices. Account hacking happens, email > > > addresses get stolen, and the people using these GitHub accounts might > > one > > > day be an attacker instead of the person we trust. > > > > > > According to Commonhaus' automated report, we're currently at 32 > people > > > having admin rights on one Hibernate repository or another. Which I > think > > > we can all agree is much more than necessary. > > > > > > For that reason, I'd like to propose that: > > > > > > 1. *We create an "Alumni" team in our GitHub organization*, moving to > > that > > > team anyone who is actually a member, but hasn't contributed for... > let's > > > say 2 years? Of course this isn't a permanent thing, and we can simply > > move > > > alumni back to the relevant team if they become active again. > > > 2. *We move non-members out of our GitHub organization*, or to > "external > > > collaborators" (that's a GitHub feature) if still necessary. > > > 3. *We schedule yearly audits of our GitHub configuration* to review > > access > > > rights again in the future, and move people to the Alumni team as > > > necessary. > > > > > > Note moving people in and out of teams will get them notified, so I > would > > > send another email directly to impacted people before/during the > move, to > > > avoid this being seen as personal/insulting. It's really not. > > > > > > *Thoughts, opinions, +1s?* > > > > > > Yoann Rodière > > > Hibernate team > > > _______________________________________________ > > > hibernate-dev mailing list -- hibernate-dev(a)lists.jboss.org > > > To unsubscribe send an email to hibernate-dev-leave(a)lists.jboss.org > > > Privacy Statement: https://www.redhat.com/en/about/privacy-policy > > > List Archives: > > > > > > https://lists.jboss.org/archives/list/hibernate-dev@lists.jboss.org/messa... > > > > > _______________________________________________ > > hibernate-dev mailing list -- hibernate-dev(a)lists.jboss.org > > To unsubscribe send an email to hibernate-dev-leave(a)lists.jboss.org > > Privacy Statement: https://www.redhat.com/en/about/privacy-policy > > List Archives: > > > https://lists.jboss.org/archives/list/hibernate-dev@lists.jboss.org/messa... > > > _______________________________________________ > hibernate-dev mailing list -- hibernate-dev(a)lists.jboss.org > To unsubscribe send an email to hibernate-dev-leave(a)lists.jboss.org > Privacy Statement: https://www.redhat.com/en/about/privacy-policy > List Archives: > https://lists.jboss.org/archives/list/hibernate-dev@lists.jboss.org/messa... >