[Owasp-leaders] Access management on GitHub

Sean Auriti sean.auriti at owasp.org
Tue Jan 10 15:05:31 UTC 2017


https://tommcfarlin.com/delete-old-repositories/

It seems there is some value to having the code around and marked as
archived / deprecated / unmaintained.


On Tue, Jan 10, 2017 at 4:55 AM Bjoern Kimminich <bjoern.kimminich at owasp.org>
wrote:

> I do not think that OWASP org on GitHub should be a historical inventory.
> Everything on github.com/OWASP should be usable, documented and - most
> importantly - responsive to user requests (via Issues) and contributions
> (via PRs). Unmaintained projects fail at responsiveness, so they end up
> with tons of unanwered issues.
>
> Prime example from yesterday: In https://github.com/OWASP/rbac/issues/88
> a user asks: *"why no new commits in the package from 2015, I need to use
> it in large scale app and I'm afraid because of maintained. any help?"*
>
> This leaves a bad impression on maturity of OWASP's open source offerings.
> Even an honest *"Sorry, this project is currently not in active
> development!"* would be fine. Not receiving a response is what frustrates
> me most when opening an issue or PR. That's why we should at least make it
> visible when a project is unmaintained, so they *do not even ask a
> question in the first place* and won't be disappointed if they never get
> an answer.
>
> Put the "Inactive Project" banner on top of the README. Adding a "Use
> Project X instead" would be great! Alternatively move projects like this to
> an "owasp-archive"- or "owasp-legacy"-org if you prefer. Zombies should not
> stay in our main GitHub organization and certainly we should not add more.
>
> Also please note, that *deleting or moving a GitHub repository* is *not*
> equivalent to *deleting an OWASP Project*. Furthermore, *unmaintained* is
> a pretty blurry term, so I'd make it easier to grasp with some KPIs, such
> as:
>
>    - number of total open issues
>    - number of issues without a response/comment/label added by project
>    team
>    - age of oldest open issue
>    - *same as above three for PRs*
>    - age of last commit
>    - age of last release
>
> Statistics can give us a good overview here. Part of this we even get for
> free for projects we register on OpenHub:
> https://www.openhub.net/orgs/OWASP/projects
> They just don't seem to update as regular as they did in the past and I
> have no idea how to retrigger an analysis over there.
>
> Cheers,
> Björn
>
>
> On Tue, Jan 10, 2017 at 1:23 AM, Sean Auriti <sean.auriti at owasp.org>
> wrote:
>
> On this note.  I think it would be good that every single OWASP project be
> on the OWASP github.  Even if they are not actively maintained.  Also
> before we delete any project, it would be good to check in with the project
> leaders and confirm that they no longer want that project to be an OWASP
> project.
>>
> On Mon, Jan 9, 2017 at 7:18 PM, Chetan Karande <chetan.karande at owasp.org>
> wrote:
>
> +1. Thanks  Bjoern for bringing this up.
>
> Without proper access rights, there is no way for project leaders to
> assign issues to contributors who are not already part of OWASP github
> account. It would be really helpful for project leaders to have rights to
> create a project team and add members to it.
>
> Chetan Karande
> OWASP NodeGoat project
>
> On Jan 3, 2017 9:52 AM, "Bev Corwin" <bev.corwin at owasp.org> wrote:
>
> +1 Yes, please set up a committee meeting to discuss this and how to best
> set up. Best wishes.
>
> Bev
>
>
> On Tue, Jan 3, 2017 at 4:55 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
> +Bjoern, I agree on this.
> If our technical staff also agrees, I think this clean up is surely
> necessary
>
> @Matt: If you also agree or have another suggestions from the technical
> point of view, please let us know so Bjorn can continue with the proposed
> changes
>
> On Wed, Dec 28, 2016 at 3:35 PM, Bjoern Kimminich <
> bjoern.kimminich at owasp.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi all,
>
> I noticed that the access rights on our GitHub organization are a mess at
> the moment. Most repositories have a "team" defined representing the
> project team - which is good, especially if a project has multiple repos,
> where manually adding individuals to each stops being fun.
>
> The bad news: Most of these "teams" have been deleted at some point in
> time. GitHub unfortunately does not remove those from assigned repos
> automatically. So we now have a several zombie teams on GitHub that show a
> 404 when trying to view them.
>
> Then there is this "Owner" team where ~17 people are in, and an "Admin"
> team where only I am in, for unknown reason. Neither team membership gives
> full access to the org settings, so no idea what they are good for.
>
> Is there a secret concept behind this? If not, I vote for tabula rasa:
>
> 1. Delete all teams
> 2. Remove all (zombie) teams from all repos
> 3. Create a dedicated team per OWASP project that has repos in the org and
> assign their members
> 4. Assign teams to their repos as "Writer" or "Admin" (depending how
> project prefers)
> 5. Give at least project leader individual "Admin" prefs on repos of
> his/her projects
> (6. Create one admin team and assign it as "Admin" to all repos)
>
> Better ideas? I suggest doing this *after* clearing the trash/empty
> repositories to avoid useless effort.
>
> Cheers,
> Bjoern
> -----BEGIN PGP SIGNATURE-----
>
> iQFfBAEBCgBJQhxCasO2cm4gS2ltbWluaWNoIChQcml2YXRlIEVtYWlsYWRyZXNz
> ZSkgPGJqb2Vybi5raW1taW5pY2hAZ214LmRlPgUCWGPNngAKCRAGKoWoy/vc2qtI
> B/9qLzlJN8WtFlSvfHZVKBAfo+uFAKAz53WNqnRvmJvn/zEhPgbsT7hMgfbwnoLV
> UcM01uvOBsVZRZIsyBP1fpcy+1mtPsD6FnYhGZBhglQm2UTuHK3iyrLCEnYX/Glc
> i8wVeIUIAcQUac+Jwj4MAuvh64naNKHqQyg9z3pPM1cMEpAmtWFyytUT9eUrVlnn
> HElvBxPB8b3oMcj22bpY75WtJDY0uHLs2ylFTNTISSKYVad2NBMLZPGnIZ5AONkq
> 3ydSDAoJxnVJx1CIK6kP0beFxm3QyAaGvwlu9pWr19SlWG9btW7soM/Z8flkY+ji
> DCm6qOptWAgnW8PzsjmO/TRv
> =P6AH
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170110/af2402ac/attachment.html>


More information about the OWASP-Leaders mailing list