+1 On Wed, Jun 4, 2025 at 8:54 PM Steve Ebersole via hibernate-dev < hibernate-dev@lists.jboss.org> wrote:
> +1 > > On Wed, Jun 4, 2025 at 1:53 PM Steve Ebersole <steven.ebers...@gmail.com> > wrote: > > > +1 > > > > On Wed, Jun 4, 2025 at 7:36 AM Davide D'Alto <daltodav...@gmail.com> > > wrote: > > > >> +1 > >> > >> On Wed, Jun 4, 2025 at 2:14 PM Sanne Grinovero via hibernate-dev < > >> hibernate-dev@lists.jboss.org> wrote: > >> > >> > +1 > >> > > >> > > >> > On Wed, 4 Jun 2025 at 11:32, Yoann Rodiere via hibernate-dev < > >> > hibernate-dev@lists.jboss.org> wrote: > >> > > >> > > Hello, > >> > > > >> > > As part of the move to Commonhaus, I'm currently going through our > >> GitHub > >> > > setup, and I'm noticing we have a lot of users with extensive (and I > >> mean > >> > > *extensive*, sometimes admin or even owner) access to our > >> > > organization/repositories, but who are no longer regular > contributors. > >> > > > >> > > Additionally, we also have organization members on GitHub who are > not > >> > > technically Hibernate members: they have never actually contributed > to > >> > > Hibernate, but are there for technical reasons, for example because > >> > they're > >> > > coworkers who helped out with some infrastructure issue. > >> > > > >> > > While it's fine in principle, because we trust these people, it's > >> very, > >> > > very far from security best practices. Account hacking happens, > email > >> > > addresses get stolen, and the people using these GitHub accounts > might > >> > one > >> > > day be an attacker instead of the person we trust. > >> > > > >> > > According to Commonhaus' automated report, we're currently at 32 > >> people > >> > > having admin rights on one Hibernate repository or another. Which I > >> think > >> > > we can all agree is much more than necessary. > >> > > > >> > > For that reason, I'd like to propose that: > >> > > > >> > > 1. *We create an "Alumni" team in our GitHub organization*, moving > to > >> > that > >> > > team anyone who is actually a member, but hasn't contributed for... > >> let's > >> > > say 2 years? Of course this isn't a permanent thing, and we can > simply > >> > move > >> > > alumni back to the relevant team if they become active again. > >> > > 2. *We move non-members out of our GitHub organization*, or to > >> "external > >> > > collaborators" (that's a GitHub feature) if still necessary. > >> > > 3. *We schedule yearly audits of our GitHub configuration* to review > >> > access > >> > > rights again in the future, and move people to the Alumni team as > >> > > necessary. > >> > > > >> > > Note moving people in and out of teams will get them notified, so I > >> would > >> > > send another email directly to impacted people before/during the > >> move, to > >> > > avoid this being seen as personal/insulting. It's really not. > >> > > > >> > > *Thoughts, opinions, +1s?* > >> > > > >> > > Yoann Rodière > >> > > Hibernate team > >> > > _______________________________________________ > >> > > hibernate-dev mailing list -- hibernate-dev@lists.jboss.org > >> > > To unsubscribe send an email to hibernate-dev-le...@lists.jboss.org > >> > > Privacy Statement: https://www.redhat.com/en/about/privacy-policy > >> > > List Archives: > >> > > > >> > > >> > https://lists.jboss.org/archives/list/hibernate-dev@lists.jboss.org/message/UESVB3PYJ43BN72KI7XV5PCSTPWXPWTI/ > >> > > > >> > _______________________________________________ > >> > hibernate-dev mailing list -- hibernate-dev@lists.jboss.org > >> > To unsubscribe send an email to hibernate-dev-le...@lists.jboss.org > >> > Privacy Statement: https://www.redhat.com/en/about/privacy-policy > >> > List Archives: > >> > > >> > https://lists.jboss.org/archives/list/hibernate-dev@lists.jboss.org/message/ODISPVAZHBTIP4SOD7AQJ73C3ODPIZZL/ > >> > > >> _______________________________________________ > >> hibernate-dev mailing list -- hibernate-dev@lists.jboss.org > >> To unsubscribe send an email to hibernate-dev-le...@lists.jboss.org > >> Privacy Statement: https://www.redhat.com/en/about/privacy-policy > >> List Archives: > >> > https://lists.jboss.org/archives/list/hibernate-dev@lists.jboss.org/message/H4N6PYOIT42VOEX54FIRW7GRQTIUKYSY/ > >> > > > _______________________________________________ > hibernate-dev mailing list -- hibernate-dev@lists.jboss.org > To unsubscribe send an email to hibernate-dev-le...@lists.jboss.org > Privacy Statement: https://www.redhat.com/en/about/privacy-policy > List Archives: > https://lists.jboss.org/archives/list/hibernate-dev@lists.jboss.org/message/J3FOWAJTHVNWW7P2WHGIJZKY7E7IE7M6/ > _______________________________________________ hibernate-dev mailing list -- hibernate-dev@lists.jboss.org To unsubscribe send an email to hibernate-dev-le...@lists.jboss.org Privacy Statement: https://www.redhat.com/en/about/privacy-policy List Archives: https://lists.jboss.org/archives/list/hibernate-dev@lists.jboss.org/message/4JLGS6QFZ2EQEZD6XFZ4TGSTZBHEHRL2/
