[Owasp-leaders] Access management on GitHub

Bjoern Kimminich bjoern.kimminich at owasp.org
Tue Jan 10 09:55:08 UTC 2017

I do not think that OWASP org on GitHub should be a historical inventory.
Everything on github.com/OWASP should be usable, documented and - most
importantly - responsive to user requests (via Issues) and contributions
(via PRs). Unmaintained projects fail at responsiveness, so they end up
with tons of unanwered issues.

Prime example from yesterday: In https://github.com/OWASP/rbac/issues/88 a
user asks: *"why no new commits in the package from 2015, I need to use it
in large scale app and I'm afraid because of maintained. any help?"*

This leaves a bad impression on maturity of OWASP's open source offerings.
Even an honest *"Sorry, this project is currently not in active
development!"* would be fine. Not receiving a response is what frustrates
me most when opening an issue or PR. That's why we should at least make it
visible when a project is unmaintained, so they *do not even ask a question
in the first place* and won't be disappointed if they never get an answer.

Put the "Inactive Project" banner on top of the README. Adding a "Use
Project X instead" would be great! Alternatively move projects like this to
an "owasp-archive"- or "owasp-legacy"-org if you prefer. Zombies should not
stay in our main GitHub organization and certainly we should not add more.

Also please note, that *deleting or moving a GitHub repository* is *not*
equivalent to *deleting an OWASP Project*. Furthermore, *unmaintained* is a
pretty blurry term, so I'd make it easier to grasp with some KPIs, such as:

   - number of total open issues
   - number of issues without a response/comment/label added by project team
   - age of oldest open issue
   - *same as above three for PRs*
   - age of last commit
   - age of last release

Statistics can give us a good overview here. Part of this we even get for
free for projects we register on OpenHub:
They just don't seem to update as regular as they did in the past and I
have no idea how to retrigger an analysis over there.


On Tue, Jan 10, 2017 at 1:23 AM, Sean Auriti <sean.auriti at owasp.org> wrote:

> On this note.  I think it would be good that every single OWASP project be
> on the OWASP github.  Even if they are not actively maintained.  Also
> before we delete any project, it would be good to check in with the project
> leaders and confirm that they no longer want that project to be an OWASP
> project.
> On Mon, Jan 9, 2017 at 7:18 PM, Chetan Karande <chetan.karande at owasp.org>
> wrote:
>> +1. Thanks  Bjoern for bringing this up.
>> Without proper access rights, there is no way for project leaders to
>> assign issues to contributors who are not already part of OWASP github
>> account. It would be really helpful for project leaders to have rights to
>> create a project team and add members to it.
>> Chetan Karande
>> OWASP NodeGoat project
>> On Jan 3, 2017 9:52 AM, "Bev Corwin" <bev.corwin at owasp.org> wrote:
>>> +1 Yes, please set up a committee meeting to discuss this and how to
>>> best set up. Best wishes.
>>> Bev
>>> On Tue, Jan 3, 2017 at 4:55 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>> +Bjoern, I agree on this.
>>>> If our technical staff also agrees, I think this clean up is surely
>>>> necessary
>>>> @Matt: If you also agree or have another suggestions from the technical
>>>> point of view, please let us know so Bjorn can continue with the proposed
>>>> changes
>>>> On Wed, Dec 28, 2016 at 3:35 PM, Bjoern Kimminich <
>>>> bjoern.kimminich at owasp.org> wrote:
>>>>> Hash: SHA512
>>>>> Hi all,
>>>>> I noticed that the access rights on our GitHub organization are a mess
>>>>> at the moment. Most repositories have a "team" defined representing the
>>>>> project team - which is good, especially if a project has multiple repos,
>>>>> where manually adding individuals to each stops being fun.
>>>>> The bad news: Most of these "teams" have been deleted at some point in
>>>>> time. GitHub unfortunately does not remove those from assigned repos
>>>>> automatically. So we now have a several zombie teams on GitHub that show a
>>>>> 404 when trying to view them.
>>>>> Then there is this "Owner" team where ~17 people are in, and an
>>>>> "Admin" team where only I am in, for unknown reason. Neither team
>>>>> membership gives full access to the org settings, so no idea what they are
>>>>> good for.
>>>>> Is there a secret concept behind this? If not, I vote for tabula rasa:
>>>>> 1. Delete all teams
>>>>> 2. Remove all (zombie) teams from all repos
>>>>> 3. Create a dedicated team per OWASP project that has repos in the org
>>>>> and assign their members
>>>>> 4. Assign teams to their repos as "Writer" or "Admin" (depending how
>>>>> project prefers)
>>>>> 5. Give at least project leader individual "Admin" prefs on repos of
>>>>> his/her projects
>>>>> (6. Create one admin team and assign it as "Admin" to all repos)
>>>>> Better ideas? I suggest doing this *after* clearing the trash/empty
>>>>> repositories to avoid useless effort.
>>>>> Cheers,
>>>>> Bjoern
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> iQFfBAEBCgBJQhxCasO2cm4gS2ltbWluaWNoIChQcml2YXRlIEVtYWlsYWRyZXNz
>>>>> ZSkgPGJqb2Vybi5raW1taW5pY2hAZ214LmRlPgUCWGPNngAKCRAGKoWoy/vc2qtI
>>>>> B/9qLzlJN8WtFlSvfHZVKBAfo+uFAKAz53WNqnRvmJvn/zEhPgbsT7hMgfbwnoLV
>>>>> UcM01uvOBsVZRZIsyBP1fpcy+1mtPsD6FnYhGZBhglQm2UTuHK3iyrLCEnYX/Glc
>>>>> i8wVeIUIAcQUac+Jwj4MAuvh64naNKHqQyg9z3pPM1cMEpAmtWFyytUT9eUrVlnn
>>>>> HElvBxPB8b3oMcj22bpY75WtJDY0uHLs2ylFTNTISSKYVad2NBMLZPGnIZ5AONkq
>>>>> 3ydSDAoJxnVJx1CIK6kP0beFxm3QyAaGvwlu9pWr19SlWG9btW7soM/Z8flkY+ji
>>>>> DCm6qOptWAgnW8PzsjmO/TRv
>>>>> =P6AH
>>>>> -----END PGP SIGNATURE-----
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170110/c7b0c384/attachment.html>

More information about the OWASP-Leaders mailing list