← Back to team overview

maria-developers team mailing list archive

Re: security spring cleaning in MariaDB org on github

 

Hi, Kristian!

On Nov 05, Kristian Nielsen wrote:
> Sergei Golubchik <serg@xxxxxxxxxxx> writes:
> 
> > If you think you need admin access, please request it (again).
> 
> Yes, please restore my access to the repo. I use it regularly, to work
> with web hooks, see how the repo is setup, etc.

I know, I'm a bit paranoid when granting privileges.
But hey, I'm security@xxxxxxxxxxx (and I was security@xxxxxxxxx for ~10
years), may be it's a professional deformation :)
And owners are much too powerful to be treated lightly
https://help.github.com/articles/permission-levels-for-an-organization/

So I'll delegate this decision to Monty and Otto.

Or, perhaps we could export the information that you need (web hook
configuration and repo configuration) as a read-only view - what do you
think about it?

As far as I'm concerned, we can export all admin information (minus auth
tokens) visible to everyone - there is nothing secret there.

> > we're performing some spring cleaning in this area.
> 
> Who are "we"?

If you're asking who pressed the button, that was Rasmus. He already did
the same transition (from the legacy Admin group) for
https://github.com/mariadb-corporation/, so he knew how it works.

If you're asking whose idea it was to migrate away from the legacy Admin
group, it was mine.

> I was not included in any discussions, or even made aware that such
> discussions were taken place, why not?

Because that was a small admin task, something similar is done almost
every second day.

There are open discussions before any strategic decision, I believe.
But not before making minor day-to-day admin choices.

> > lost admin access to the org. Currently only the MariaDB Foundation
> > CEO and few board members (those, who actually have used admin
> > access recently) retained their admin rights.
> 
> Board members?
> 
> So admin access is needed to do technical work with the repo, to give
> people write access, and (currently) to see the list of members in
> teams.
> 
> Neither of these make *any* sense for board members. I mean, if I need
> to debug a problem with Buildbot not picking up my push, or want to
> set up a hook to listen for pushes or something, I should ask a *board
> member* to do it for me? Seriously?

So it happens, that MariaDB Foundation isn't a many-thousand-people
multi-national corporation :)

And some board members do admin work, and the CEO does Debian packaging.

Those who got admin access didn't get it, because they're board members,
they got it because they need it to configure https://github.com/mariadb
(not only "need", they do actually use it).

> I assume you mean that the people with access are yourself Serg,
> Rasmus, and Otto. Monty is the fourth one? The two of us are probably
> the ones with the best knowledge of how to manage git and repositories
> for MariaDB, so you clearly make sense. Otto and Rasmus I assume is so
> that they can give write access to new employees, but that has nothing
> to do with Rasmus being a board member. And I doubt Monty does much
> work on github at all?

Yes, Rasmus, Otto, Monty, and me. I've looked at the audit log of who
was using admin access recently. Rasmus uses it regularly - the latest
change was creating Jira hooks (you might've noticed that Jira issues
now show related commits and pull requests). Otto was recently adding
and removing users and configuring Travis-CI hooks. I was setting up
permissions for users and debugging buildbot hooks. Monty doesn't do
much work on github, he might be adding users, rarely.

> Of course, the list of people with access is not even public, so one
> can only guess, not even know who to ask in case of any issues. You
> have to be a board member to even know who has repo access?

I hope not, but I really don't know what's visible to whom.

I can check how it works, probably create a second account and invite it
into mariadb on github as a normal non-privileged member...

> > 2FA is required for all admins (and highly recommended for all other members)
> Sure, I can set that up if you really want.

Thanks!

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx


Follow ups

References