Hello, Thanks for your answers.
I proceeded with the changes, notifying everyone as necessary, and finished the changes a few days ago. I have not found a way to detect alumni on the website [1] yet, so for now all members are mixed together. Which I think is fine as a first step. I set up a reminder to go through this process again next year. [1] https://hibernate.org/community/team/ Have a nice day, Yoann Rodière Hibernate team On Wed, Jun 18, 2025 at 5:41 PM Christian Beikov via hibernate-dev < [email protected]> wrote: > +1 > > Am 04.06.2025 um 12:21 schrieb Yoann Rodiere via hibernate-dev: > > Hello, > > > > As part of the move to Commonhaus, I'm currently going through our GitHub > > setup, and I'm noticing we have a lot of users with extensive (and I mean > > *extensive*, sometimes admin or even owner) access to our > > organization/repositories, but who are no longer regular contributors. > > > > Additionally, we also have organization members on GitHub who are not > > technically Hibernate members: they have never actually contributed to > > Hibernate, but are there for technical reasons, for example because > they're > > coworkers who helped out with some infrastructure issue. > > > > While it's fine in principle, because we trust these people, it's very, > > very far from security best practices. Account hacking happens, email > > addresses get stolen, and the people using these GitHub accounts might > one > > day be an attacker instead of the person we trust. > > > > According to Commonhaus' automated report, we're currently at 32 people > > having admin rights on one Hibernate repository or another. Which I think > > we can all agree is much more than necessary. > > > > For that reason, I'd like to propose that: > > > > 1. *We create an "Alumni" team in our GitHub organization*, moving to > that > > team anyone who is actually a member, but hasn't contributed for... let's > > say 2 years? Of course this isn't a permanent thing, and we can simply > move > > alumni back to the relevant team if they become active again. > > 2. *We move non-members out of our GitHub organization*, or to "external > > collaborators" (that's a GitHub feature) if still necessary. > > 3. *We schedule yearly audits of our GitHub configuration* to review > access > > rights again in the future, and move people to the Alumni team as > necessary. > > > > Note moving people in and out of teams will get them notified, so I would > > send another email directly to impacted people before/during the move, to > > avoid this being seen as personal/insulting. It's really not. > > > > *Thoughts, opinions, +1s?* > > > > Yoann Rodière > > Hibernate team > > _______________________________________________ > > hibernate-dev mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Privacy Statement: https://www.redhat.com/en/about/privacy-policy > > List Archives: > https://lists.jboss.org/archives/list/[email protected]/message/UESVB3PYJ43BN72KI7XV5PCSTPWXPWTI/ > _______________________________________________ > hibernate-dev mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.redhat.com/en/about/privacy-policy > List Archives: > https://lists.jboss.org/archives/list/[email protected]/message/NIC4TY2ZE74UZ4CTFLIM3QPCR6SU3QN7/ > _______________________________________________ hibernate-dev mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.redhat.com/en/about/privacy-policy List Archives: https://lists.jboss.org/archives/list/[email protected]/message/HQTBRVWTOINXZWTGA6KBAGKDL7UAMHM4/
