add github management policies dir #155
Conversation
Signed-off-by: Jordan Harband <[email protected]> Signed-off-by: ctcpip <[email protected]> Signed-off-by: Amanda L Martin <[email protected]> Co-authored-by: Jordan Harband <[email protected]> Co-authored-by: ctcpip <[email protected]> Co-authored-by: Amanda L Martin <[email protected]>
ljharb
force-pushed
the
policies
branch
2 times, most recently
from
8f40d6c to
ad92748
Compare
policies/access.md
Outdated
|
|
||
| ## Github Org Membership | ||
|
|
||
| Membership in the Github org should be freely given - it inherently confers no permissions or privileges, only a badge on the user's profile if they enable it - and it _does_ allow for easier team management. Someone should only be removed from the org in extreme circumstances where their association with OpenSSF would be problematic, and people should be encouraged to remain in the org in perpetuity. |
There was a problem hiding this comment.
This feels different than many open source projects. Especially for a relatively new and also broad umbrella foundation, I worry that this freely given perpetual membership even if only a weak badging, might encourage confusion on what is or is not officially part, sponsored by, under consideration within the auspices of the foundation. That type of confusion and contention has already been a bit of a problem for the OpenSSF org.
I personally would prefer a simple and collaborative open membership. But I also want clarity of mission and propose and that to be easily discovered and difficult to confuse.
Perhaps this is less of an issue if leadership (ie: certain team memberships in the org?) roles are clearly marked. But GitHub team memberships tend to be opaque. I’m not sure if there is maybe an org setting which would allow team members be viewed by non org members. Or if not…alternatively if anybody can get org membership, I guess anybody could ask for org membership to be able to see team membership? Or GH team members defined by in repo yaml configs? Still not great UX though.
There was a problem hiding this comment.
Except perhaps in orgs with a very small number of members, it's unlikely that anyone would interpret anything about an individual's org membership alone beyond baseline participation. (And if they did, that would be quite misguided.)
There was a problem hiding this comment.
@tpepper OpenSSF is not itself an open source project, and this is how TC39 operates, which I think is more analogous.
I agree that it's not great UX that the only way to be on a team is to be in the org, but it seems a worthy tradeoff for me.
|
@steiza thanks, brand compliance now achieved 👍 |
| This is the parent team for SIGs. Every SIG should have a subteam contained within this one. All SIG subteams must start with `sig-` for consistency. | ||
| - [Projects](https://github.com/orgs/ossf/teams/projects) | ||
| This is the parent team for projects. Every project (eg scorecard, AO) should have a subteam contained within this one. | ||
| Teams for individual repositories go under here, which start with `repo-`, but team names may otherwise be unconstrained. |
There was a problem hiding this comment.
Following PLP(below) projects will need teams for each access level (eg scorecard-read, scorecard-traige, scorecard-write, scorecard-maintain)
There was a problem hiding this comment.
In the extreme yes, but we'd only create these as needed, since most repos don't need this granularity atm.
There was a problem hiding this comment.
I don't think this is just an extreme case. Take a look at the BP-WG group:
https://github.com/orgs/ossf/teams/wg-best-practices/members
https://github.com/orgs/ossf/teams/wg-best-practices/repositories
All those people who had some kind of access to any of the 6 repos now have write/maintain access to all of them. In an effort to reduce the manual configuration of groups. repos and access-levels will be consolidated and people will be getting access they don't need and/or shouldn't have.
There was a problem hiding this comment.
Sure, that's a fair point. However, when I created that specific team i was told that all members should have Write. There's a tradeoff here balancing convenience and "least privilege", and since Write is a pretty non-dangerous privilege, it seemed like a worthy one.
If we end up needing to do this for the majority of repos, then we should absolutely document it as the default approach, but we're not there yet today.
There was a problem hiding this comment.
There's a tradeoff here balancing convenience and "least privilege"
This is exactly my point. Without granular teams per repo and access level, we are reducing our security and going against PLP. Without some sort of automation or config-as-code way to manage the teams, convenience will undermine the goals of the teams mandate.
There was a problem hiding this comment.
I think that is something we can iterate on as well - automation is worth considering but in practice is often overkill, and the goal here isn't strict PLP, but a safer balance.
policies/access.md
Outdated
|
|
||
| ## Teams, not Individuals | ||
|
|
||
| Access to repositories will be granted only to GitHub teams, not to individuals. A repo may have any number of teams added to it, with the appropriate access levels. |
There was a problem hiding this comment.
How to we enforce this?
Allstar has a policy to nag if any individuals have write/admin access, we could use this.
There was a problem hiding this comment.
We already have an auditing tool; see https://github.com/ossf/github-org-access-scraper.
policies/access.md
Outdated
|
|
||
| Permission levels should be as high as they need to be, and no higher. | ||
|
|
||
| - There's few settings that justify Admin access over Maintain, so prefer Maintain. |
There was a problem hiding this comment.
Looks like Maintain doesn't allow setting up branch protection. A lot of or repos don't have this setup Will org admins set this up, if we don't have Admin access to our own repos?
There was a problem hiding this comment.
Yes; org admins (the PM team, primarily) will be available to do any repo administration that repo owners lack access to do.
There was a problem hiding this comment.
This doesn't seem like a tenable solution. If encouraging project owners to not have admin on the repos, they really need an easy way to read settings, and an automated way to apply changes.
https://gitlab.eclipse.org/eclipsefdn/security/otterdog is a tool we could use to do this, for example.
There was a problem hiding this comment.
This is definitely something we can iterate on; in my experience managing large github orgs (or in my own 400+ single-maintainer projects), maintainers rarely need Admin more than a handful of times over the lifetime of a repo, and as long as the friction is minimal when it's needed, it's "fine".
Note also that the language here is "prefer"; if anyone feels strongly that they want admin over a repo, then imo they can have it.
ljharb
force-pushed
the
policies
branch
2 times, most recently
from
be0cea8 to
cb7c1a9
Compare
|
I believe all comments have been addressed and this seems to have sufficient approvals. I'll land this later today if there's no further feedback/objections. |
Closes #153, assuming the tooling should live in a separate repo.
This is just an initial doc to get things started; happy to take any and all feedback.