Hi Everybody, I am currently collecting feedback about the best way to manage user access to the Jenkins-infra GitHub organization and more specifically for people who don't contribute anymore (whatever the reason).
I recently review user permissions on the Github Jenkins infrastructure organization and we have 53 people with different kinds of permission. A lot of them stepped back or just don't actively contribute anymore. This brings unneeded risk to the Github organization as they have change permissions even though a lot of them don't need those permissions anymore. Differently said, It doesn't make sense to take the risk that a compromised account introduces changes in our git repositories if that account doesn't need privileged access anymore. So I am proposing to create a new "team" named alumni which would have read-only permissions on every public repository. This would bring the following benefits 1. We would still be able to assign individual alumni group member PR or Issues as knowledge experts. 2. Alumni team members will have the "jenkins-infra" badge on their GitHub user profile as a way to highlight their past contribution. 3. If for some reason a malicious user get access to one of the alumni account, that attacker won't be able to merge PR which reduces the risk on the GitHub organization. 4. Of course, once a contributor get more active, we can still remove him from alumni group and grant him more permission Any thoughts? Without any feedback, I'll wait one week, starting from this email, before implementing my plan. Cheers, Olivier -- Olblak -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/946e9c82-73ce-4365-bd14-0cc17d2c4d69%40www.fastmail.com.
