+1 On Wed, Jun 4, 2025 at 8:54 PM Steve Ebersole via hibernate-dev < [email protected]> wrote:
> +1 > > On Wed, Jun 4, 2025 at 1:53 PM Steve Ebersole <[email protected]> > wrote: > > > +1 > > > > On Wed, Jun 4, 2025 at 7:36 AM Davide D'Alto <[email protected]> > > wrote: > > > >> +1 > >> > >> On Wed, Jun 4, 2025 at 2:14 PM Sanne Grinovero via hibernate-dev < > >> [email protected]> wrote: > >> > >> > +1 > >> > > >> > > >> > On Wed, 4 Jun 2025 at 11:32, Yoann Rodiere via hibernate-dev < > >> > [email protected]> wrote: > >> > > >> > > Hello, > >> > > > >> > > As part of the move to Commonhaus, I'm currently going through our > >> GitHub > >> > > setup, and I'm noticing we have a lot of users with extensive (and I > >> mean > >> > > *extensive*, sometimes admin or even owner) access to our > >> > > organization/repositories, but who are no longer regular > contributors. > >> > > > >> > > Additionally, we also have organization members on GitHub who are > not > >> > > technically Hibernate members: they have never actually contributed > to > >> > > Hibernate, but are there for technical reasons, for example because > >> > they're > >> > > coworkers who helped out with some infrastructure issue. > >> > > > >> > > While it's fine in principle, because we trust these people, it's > >> very, > >> > > very far from security best practices. Account hacking happens, > email > >> > > addresses get stolen, and the people using these GitHub accounts > might > >> > one > >> > > day be an attacker instead of the person we trust. > >> > > > >> > > According to Commonhaus' automated report, we're currently at 32 > >> people > >> > > having admin rights on one Hibernate repository or another. Which I > >> think > >> > > we can all agree is much more than necessary. > >> > > > >> > > For that reason, I'd like to propose that: > >> > > > >> > > 1. *We create an "Alumni" team in our GitHub organization*, moving > to > >> > that > >> > > team anyone who is actually a member, but hasn't contributed for... > >> let's > >> > > say 2 years? Of course this isn't a permanent thing, and we can > simply > >> > move > >> > > alumni back to the relevant team if they become active again. > >> > > 2. *We move non-members out of our GitHub organization*, or to > >> "external > >> > > collaborators" (that's a GitHub feature) if still necessary. > >> > > 3. *We schedule yearly audits of our GitHub configuration* to review > >> > access > >> > > rights again in the future, and move people to the Alumni team as > >> > > necessary. > >> > > > >> > > Note moving people in and out of teams will get them notified, so I > >> would > >> > > send another email directly to impacted people before/during the > >> move, to > >> > > avoid this being seen as personal/insulting. It's really not. > >> > > > >> > > *Thoughts, opinions, +1s?* > >> > > > >> > > Yoann Rodière > >> > > Hibernate team > >> > > _______________________________________________ > >> > > hibernate-dev mailing list -- [email protected] > >> > > To unsubscribe send an email to [email protected] > >> > > Privacy Statement: https://www.redhat.com/en/about/privacy-policy > >> > > List Archives: > >> > > > >> > > >> > https://lists.jboss.org/archives/list/[email protected]/message/UESVB3PYJ43BN72KI7XV5PCSTPWXPWTI/ > >> > > > >> > _______________________________________________ > >> > hibernate-dev mailing list -- [email protected] > >> > To unsubscribe send an email to [email protected] > >> > Privacy Statement: https://www.redhat.com/en/about/privacy-policy > >> > List Archives: > >> > > >> > https://lists.jboss.org/archives/list/[email protected]/message/ODISPVAZHBTIP4SOD7AQJ73C3ODPIZZL/ > >> > > >> _______________________________________________ > >> hibernate-dev mailing list -- [email protected] > >> To unsubscribe send an email to [email protected] > >> Privacy Statement: https://www.redhat.com/en/about/privacy-policy > >> List Archives: > >> > https://lists.jboss.org/archives/list/[email protected]/message/H4N6PYOIT42VOEX54FIRW7GRQTIUKYSY/ > >> > > > _______________________________________________ > hibernate-dev mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.redhat.com/en/about/privacy-policy > List Archives: > https://lists.jboss.org/archives/list/[email protected]/message/J3FOWAJTHVNWW7P2WHGIJZKY7E7IE7M6/ > _______________________________________________ hibernate-dev mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.redhat.com/en/about/privacy-policy List Archives: https://lists.jboss.org/archives/list/[email protected]/message/4JLGS6QFZ2EQEZD6XFZ4TGSTZBHEHRL2/
