You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2015/03/12 10:50:20 UTC
Why are committers accounts never terminated?
Hi Infra Team and All,
I have a question I wonder for some time and recently discussed in our OFBiz PMC ML.
Committers come and go. When a PMC member resign, because s/he clearly wants to stop helping on the project and want to be completely disconnect from
it, her/his committer account remains active. I wonder if this is not an useless security hole. Same for no longer active committers. The difference
with an active committer is s/he will never know since s/he is possibly no longer monitoring things.
A credential can be abused by an external person, that can be the beginning of much troubles we can not all imagine (hackers do)... With security
holes you never know, until it bites you, so I really wonder why a committer account can not be terminated?
Thanks
Jacques
Fwd: Why are committers accounts never terminated?
Posted by Pierre Smits <pi...@gmail.com>.
This bounced.
Pierre Smits
*ORRTIZ.COM <http://www.orrtiz.com>*
Services & Solutions for Cloud-
Based Manufacturing, Professional
Services and Retail & Trade
http://www.orrtiz.com
---------- Forwarded message ----------
From: Pierre Smits <pi...@gmail.com>
Date: Thu, Mar 12, 2015 at 2:21 PM
Subject: Re: Why are committers accounts never terminated?
To: jfarrell@apache.org
Cc: Mark Thomas <ma...@apache.org>, "infrastructure@apache.org" <
infrastructure@apache.org>, "dev@ofbiz.apache.org" <de...@ofbiz.apache.org>, "
dev@community.apache.org" <de...@community.apache.org>
Hi Jake,
I am not talking about removing merit and karma. Such is persisted in many
ways, think web pages, wiki pages, etc. I am talking about revoking
permissions at tools levels. That doesn't mean deleting committers
identities within the ASF.
Ensuring that committers get the same permissions back (or not) is up to
the PMC of a project to decide.
Best regards,
Pierre Smits
*ORRTIZ.COM <http://www.orrtiz.com>*
Services & Solutions for Cloud-
Based Manufacturing, Professional
Services and Retail & Trade
http://www.orrtiz.com
On Thu, Mar 12, 2015 at 2:15 PM, Jake Farrell <jf...@apache.org> wrote:
> Hi Pierre
> merit and karma are earned and should not be taken away. If we where to
> remove karma for services and then someone came back how would we track
> what their previous permissions had been, this would leave no guarantee
> that they would have the same permissions they had when they initially
> stepped away for whatever reason.
>
> -Jake
>
> On Thu, Mar 12, 2015 at 9:09 AM, Pierre Smits <pi...@gmail.com>
> wrote:
>
>> I apparently only replied to Jaques. See that message below.
>>
>>
>> Pierre Smits
>>
>> *ORRTIZ.COM <http://www.orrtiz.com>*
>> Services & Solutions for Cloud-
>> Based Manufacturing, Professional
>> Services and Retail & Trade
>> http://www.orrtiz.com
>>
>> ---------- Forwarded message ----------
>> From: Pierre Smits <pi...@gmail.com>
>> Date: Thu, Mar 12, 2015 at 1:15 PM
>> Subject: Re: Why are committers accounts never terminated?
>> To: Jacques Le Roux <ja...@les7arts.com>
>>
>>
>> When committers resign on their own accord (for whatever reason) their
>> permissions for the tools of the project (JIRA, CONFLUENCE, SVN, etc)
>> should be revoked. When they want to be active again, this can easily be
>> facilitated.
>>
>> Best regards,
>>
>> Pierre Smits
>>
>> *ORRTIZ.COM <http://www.orrtiz.com>*
>> Services & Solutions for Cloud-
>> Based Manufacturing, Professional
>> Services and Retail & Trade
>> http://www.orrtiz.com
>>
>> On Thu, Mar 12, 2015 at 1:11 PM, Jacques Le Roux <
>> jacques.le.roux@les7arts.com> wrote:
>>
>>> Thanks Mark,
>>>
>>> It's quite clear
>>>
>>> Jacques
>>>
>>> Le 12/03/2015 11:59, Mark Thomas a écrit :
>>>
>>> On 12/03/2015 09:50, Jacques Le Roux wrote:
>>>>
>>>>> Hi Infra Team and All,
>>>>>
>>>>> I have a question I wonder for some time and recently discussed in our
>>>>> OFBiz PMC ML.
>>>>>
>>>>> Committers come and go. When a PMC member resign, because s/he clearly
>>>>> wants to stop helping on the project and want to be completely
>>>>> disconnect from it, her/his committer account remains active. I wonder
>>>>> if this is not an useless security hole. Same for no longer active
>>>>> committers. The difference with an active committer is s/he will never
>>>>> know since s/he is possibly no longer monitoring things.
>>>>>
>>>>> A credential can be abused by an external person, that can be the
>>>>> beginning of much troubles we can not all imagine (hackers do)... With
>>>>> security holes you never know, until it bites you, so I really wonder
>>>>> why a committer account can not be terminated?
>>>>>
>>>> A committer account on its own can do very little in the way of harm.
>>>>
>>>> It can (if you know which hoops to jump through) get shell access to
>>>> people.a.o and it can send e-mail from an @apache.org e-mail address.
>>>>
>>>> people.a.o is locked down (and infra has additional monitoring in place)
>>>> so the risk here is sufficiently small infra is happy with it.
>>>>
>>>> It terms of sending e-mail via an @apache.org e-mail address, if it is
>>>> abusive (i.e. spammy) then we do rely on folks reporting it to us.
>>>>
>>>> The PMC is responsible for granting (and revoking) commit access. There
>>>> is nothing (of a technical nature - you'll have to answer to the board
>>>> and your community for the social aspects) stopping you removing
>>>> inactive committers from the appropriate LDAP group(s).
>>>>
>>>> I'd add that the PMC is responsible for reviewing all the commits made
>>>> to the PMC's repositories. You are expected to spot if a long inactive
>>>> committer suddenly starts making changes or an account you don't
>>>> recognise makes changes. Likewise, active committers are expected to
>>>> spot changes in their name they did not make.
>>>>
>>>> More generally, if infra has a security concern we shut stuff down
>>>> and/or lock accounts first and ask questions later. Any security
>>>> concerns should be reported immediately to root@apache.org
>>>>
>>>> Finally, infra periodically enforces password resets for all committers.
>>>> This has the helpful side-effect of effectively locking unused committer
>>>> accounts.
>>>>
>>>> Mark
>>>>
>>>>
>>>>
>>
>>
>
Re: Why are committers accounts never terminated?
Posted by Leif Hedstrom <zw...@apache.org>.
I'm with Pierre on this one. The ATS PMC has, as an example, several members and committers who no longer read or reply to emails. We honestly have no idea if they are even in control of their accounts.
Cheers,
-- Leif
> On Mar 12, 2015, at 7:21 AM, Pierre Smits <pi...@gmail.com> wrote:
>
> Hi Jake,
>
> I am not talking about removing merit and karma. Such is persisted in many
> ways, think web pages, wiki pages, etc. I am talking about revoking
> permissions at tools levels. That doesn't mean deleting committers
> identities within the ASF.
>
> Ensuring that committers get the same permissions back (or not) is up to
> the PMC of a project to decide.
>
> Best regards,
>
> Pierre Smits
>
> *ORRTIZ.COM <http://www.orrtiz.com>*
> Services & Solutions for Cloud-
> Based Manufacturing, Professional
> Services and Retail & Trade
> http://www.orrtiz.com
>
>> On Thu, Mar 12, 2015 at 2:15 PM, Jake Farrell <jf...@apache.org> wrote:
>>
>> Hi Pierre
>> merit and karma are earned and should not be taken away. If we where to
>> remove karma for services and then someone came back how would we track
>> what their previous permissions had been, this would leave no guarantee
>> that they would have the same permissions they had when they initially
>> stepped away for whatever reason.
>>
>> -Jake
>>
>> On Thu, Mar 12, 2015 at 9:09 AM, Pierre Smits <pi...@gmail.com>
>> wrote:
>>
>>> I apparently only replied to Jaques. See that message below.
>>>
>>>
>>> Pierre Smits
>>>
>>> *ORRTIZ.COM <http://www.orrtiz.com>*
>>> Services & Solutions for Cloud-
>>> Based Manufacturing, Professional
>>> Services and Retail & Trade
>>> http://www.orrtiz.com
>>>
>>> ---------- Forwarded message ----------
>>> From: Pierre Smits <pi...@gmail.com>
>>> Date: Thu, Mar 12, 2015 at 1:15 PM
>>> Subject: Re: Why are committers accounts never terminated?
>>> To: Jacques Le Roux <ja...@les7arts.com>
>>>
>>>
>>> When committers resign on their own accord (for whatever reason) their
>>> permissions for the tools of the project (JIRA, CONFLUENCE, SVN, etc)
>>> should be revoked. When they want to be active again, this can easily be
>>> facilitated.
>>>
>>> Best regards,
>>>
>>> Pierre Smits
>>>
>>> *ORRTIZ.COM <http://www.orrtiz.com>*
>>> Services & Solutions for Cloud-
>>> Based Manufacturing, Professional
>>> Services and Retail & Trade
>>> http://www.orrtiz.com
>>>
>>> On Thu, Mar 12, 2015 at 1:11 PM, Jacques Le Roux <
>>> jacques.le.roux@les7arts.com> wrote:
>>>
>>>> Thanks Mark,
>>>>
>>>> It's quite clear
>>>>
>>>> Jacques
>>>>
>>>> Le 12/03/2015 11:59, Mark Thomas a écrit :
>>>>
>>>> On 12/03/2015 09:50, Jacques Le Roux wrote:
>>>>>
>>>>>> Hi Infra Team and All,
>>>>>>
>>>>>> I have a question I wonder for some time and recently discussed in our
>>>>>> OFBiz PMC ML.
>>>>>>
>>>>>> Committers come and go. When a PMC member resign, because s/he clearly
>>>>>> wants to stop helping on the project and want to be completely
>>>>>> disconnect from it, her/his committer account remains active. I wonder
>>>>>> if this is not an useless security hole. Same for no longer active
>>>>>> committers. The difference with an active committer is s/he will never
>>>>>> know since s/he is possibly no longer monitoring things.
>>>>>>
>>>>>> A credential can be abused by an external person, that can be the
>>>>>> beginning of much troubles we can not all imagine (hackers do)... With
>>>>>> security holes you never know, until it bites you, so I really wonder
>>>>>> why a committer account can not be terminated?
>>>>> A committer account on its own can do very little in the way of harm.
>>>>>
>>>>> It can (if you know which hoops to jump through) get shell access to
>>>>> people.a.o and it can send e-mail from an @apache.org e-mail address.
>>>>>
>>>>> people.a.o is locked down (and infra has additional monitoring in place)
>>>>> so the risk here is sufficiently small infra is happy with it.
>>>>>
>>>>> It terms of sending e-mail via an @apache.org e-mail address, if it is
>>>>> abusive (i.e. spammy) then we do rely on folks reporting it to us.
>>>>>
>>>>> The PMC is responsible for granting (and revoking) commit access. There
>>>>> is nothing (of a technical nature - you'll have to answer to the board
>>>>> and your community for the social aspects) stopping you removing
>>>>> inactive committers from the appropriate LDAP group(s).
>>>>>
>>>>> I'd add that the PMC is responsible for reviewing all the commits made
>>>>> to the PMC's repositories. You are expected to spot if a long inactive
>>>>> committer suddenly starts making changes or an account you don't
>>>>> recognise makes changes. Likewise, active committers are expected to
>>>>> spot changes in their name they did not make.
>>>>>
>>>>> More generally, if infra has a security concern we shut stuff down
>>>>> and/or lock accounts first and ask questions later. Any security
>>>>> concerns should be reported immediately to root@apache.org
>>>>>
>>>>> Finally, infra periodically enforces password resets for all committers.
>>>>> This has the helpful side-effect of effectively locking unused committer
>>>>> accounts.
>>>>>
>>>>> Mark
>>
Re: Why are committers accounts never terminated?
Posted by Leif Hedstrom <zw...@apache.org>.
I'm with Pierre on this one. The ATS PMC has, as an example, several members and committers who no longer read or reply to emails. We honestly have no idea if they are even in control of their accounts.
Cheers,
-- Leif
> On Mar 12, 2015, at 7:21 AM, Pierre Smits <pi...@gmail.com> wrote:
>
> Hi Jake,
>
> I am not talking about removing merit and karma. Such is persisted in many
> ways, think web pages, wiki pages, etc. I am talking about revoking
> permissions at tools levels. That doesn't mean deleting committers
> identities within the ASF.
>
> Ensuring that committers get the same permissions back (or not) is up to
> the PMC of a project to decide.
>
> Best regards,
>
> Pierre Smits
>
> *ORRTIZ.COM <http://www.orrtiz.com>*
> Services & Solutions for Cloud-
> Based Manufacturing, Professional
> Services and Retail & Trade
> http://www.orrtiz.com
>
>> On Thu, Mar 12, 2015 at 2:15 PM, Jake Farrell <jf...@apache.org> wrote:
>>
>> Hi Pierre
>> merit and karma are earned and should not be taken away. If we where to
>> remove karma for services and then someone came back how would we track
>> what their previous permissions had been, this would leave no guarantee
>> that they would have the same permissions they had when they initially
>> stepped away for whatever reason.
>>
>> -Jake
>>
>> On Thu, Mar 12, 2015 at 9:09 AM, Pierre Smits <pi...@gmail.com>
>> wrote:
>>
>>> I apparently only replied to Jaques. See that message below.
>>>
>>>
>>> Pierre Smits
>>>
>>> *ORRTIZ.COM <http://www.orrtiz.com>*
>>> Services & Solutions for Cloud-
>>> Based Manufacturing, Professional
>>> Services and Retail & Trade
>>> http://www.orrtiz.com
>>>
>>> ---------- Forwarded message ----------
>>> From: Pierre Smits <pi...@gmail.com>
>>> Date: Thu, Mar 12, 2015 at 1:15 PM
>>> Subject: Re: Why are committers accounts never terminated?
>>> To: Jacques Le Roux <ja...@les7arts.com>
>>>
>>>
>>> When committers resign on their own accord (for whatever reason) their
>>> permissions for the tools of the project (JIRA, CONFLUENCE, SVN, etc)
>>> should be revoked. When they want to be active again, this can easily be
>>> facilitated.
>>>
>>> Best regards,
>>>
>>> Pierre Smits
>>>
>>> *ORRTIZ.COM <http://www.orrtiz.com>*
>>> Services & Solutions for Cloud-
>>> Based Manufacturing, Professional
>>> Services and Retail & Trade
>>> http://www.orrtiz.com
>>>
>>> On Thu, Mar 12, 2015 at 1:11 PM, Jacques Le Roux <
>>> jacques.le.roux@les7arts.com> wrote:
>>>
>>>> Thanks Mark,
>>>>
>>>> It's quite clear
>>>>
>>>> Jacques
>>>>
>>>> Le 12/03/2015 11:59, Mark Thomas a écrit :
>>>>
>>>> On 12/03/2015 09:50, Jacques Le Roux wrote:
>>>>>
>>>>>> Hi Infra Team and All,
>>>>>>
>>>>>> I have a question I wonder for some time and recently discussed in our
>>>>>> OFBiz PMC ML.
>>>>>>
>>>>>> Committers come and go. When a PMC member resign, because s/he clearly
>>>>>> wants to stop helping on the project and want to be completely
>>>>>> disconnect from it, her/his committer account remains active. I wonder
>>>>>> if this is not an useless security hole. Same for no longer active
>>>>>> committers. The difference with an active committer is s/he will never
>>>>>> know since s/he is possibly no longer monitoring things.
>>>>>>
>>>>>> A credential can be abused by an external person, that can be the
>>>>>> beginning of much troubles we can not all imagine (hackers do)... With
>>>>>> security holes you never know, until it bites you, so I really wonder
>>>>>> why a committer account can not be terminated?
>>>>> A committer account on its own can do very little in the way of harm.
>>>>>
>>>>> It can (if you know which hoops to jump through) get shell access to
>>>>> people.a.o and it can send e-mail from an @apache.org e-mail address.
>>>>>
>>>>> people.a.o is locked down (and infra has additional monitoring in place)
>>>>> so the risk here is sufficiently small infra is happy with it.
>>>>>
>>>>> It terms of sending e-mail via an @apache.org e-mail address, if it is
>>>>> abusive (i.e. spammy) then we do rely on folks reporting it to us.
>>>>>
>>>>> The PMC is responsible for granting (and revoking) commit access. There
>>>>> is nothing (of a technical nature - you'll have to answer to the board
>>>>> and your community for the social aspects) stopping you removing
>>>>> inactive committers from the appropriate LDAP group(s).
>>>>>
>>>>> I'd add that the PMC is responsible for reviewing all the commits made
>>>>> to the PMC's repositories. You are expected to spot if a long inactive
>>>>> committer suddenly starts making changes or an account you don't
>>>>> recognise makes changes. Likewise, active committers are expected to
>>>>> spot changes in their name they did not make.
>>>>>
>>>>> More generally, if infra has a security concern we shut stuff down
>>>>> and/or lock accounts first and ask questions later. Any security
>>>>> concerns should be reported immediately to root@apache.org
>>>>>
>>>>> Finally, infra periodically enforces password resets for all committers.
>>>>> This has the helpful side-effect of effectively locking unused committer
>>>>> accounts.
>>>>>
>>>>> Mark
>>
Re: Why are committers accounts never terminated?
Posted by Pierre Smits <pi...@gmail.com>.
Hi Jake,
I am not talking about removing merit and karma. Such is persisted in many
ways, think web pages, wiki pages, etc. I am talking about revoking
permissions at tools levels. That doesn't mean deleting committers
identities within the ASF.
Ensuring that committers get the same permissions back (or not) is up to
the PMC of a project to decide.
Best regards,
Pierre Smits
*ORRTIZ.COM <http://www.orrtiz.com>*
Services & Solutions for Cloud-
Based Manufacturing, Professional
Services and Retail & Trade
http://www.orrtiz.com
On Thu, Mar 12, 2015 at 2:15 PM, Jake Farrell <jf...@apache.org> wrote:
> Hi Pierre
> merit and karma are earned and should not be taken away. If we where to
> remove karma for services and then someone came back how would we track
> what their previous permissions had been, this would leave no guarantee
> that they would have the same permissions they had when they initially
> stepped away for whatever reason.
>
> -Jake
>
> On Thu, Mar 12, 2015 at 9:09 AM, Pierre Smits <pi...@gmail.com>
> wrote:
>
>> I apparently only replied to Jaques. See that message below.
>>
>>
>> Pierre Smits
>>
>> *ORRTIZ.COM <http://www.orrtiz.com>*
>> Services & Solutions for Cloud-
>> Based Manufacturing, Professional
>> Services and Retail & Trade
>> http://www.orrtiz.com
>>
>> ---------- Forwarded message ----------
>> From: Pierre Smits <pi...@gmail.com>
>> Date: Thu, Mar 12, 2015 at 1:15 PM
>> Subject: Re: Why are committers accounts never terminated?
>> To: Jacques Le Roux <ja...@les7arts.com>
>>
>>
>> When committers resign on their own accord (for whatever reason) their
>> permissions for the tools of the project (JIRA, CONFLUENCE, SVN, etc)
>> should be revoked. When they want to be active again, this can easily be
>> facilitated.
>>
>> Best regards,
>>
>> Pierre Smits
>>
>> *ORRTIZ.COM <http://www.orrtiz.com>*
>> Services & Solutions for Cloud-
>> Based Manufacturing, Professional
>> Services and Retail & Trade
>> http://www.orrtiz.com
>>
>> On Thu, Mar 12, 2015 at 1:11 PM, Jacques Le Roux <
>> jacques.le.roux@les7arts.com> wrote:
>>
>>> Thanks Mark,
>>>
>>> It's quite clear
>>>
>>> Jacques
>>>
>>> Le 12/03/2015 11:59, Mark Thomas a écrit :
>>>
>>> On 12/03/2015 09:50, Jacques Le Roux wrote:
>>>>
>>>>> Hi Infra Team and All,
>>>>>
>>>>> I have a question I wonder for some time and recently discussed in our
>>>>> OFBiz PMC ML.
>>>>>
>>>>> Committers come and go. When a PMC member resign, because s/he clearly
>>>>> wants to stop helping on the project and want to be completely
>>>>> disconnect from it, her/his committer account remains active. I wonder
>>>>> if this is not an useless security hole. Same for no longer active
>>>>> committers. The difference with an active committer is s/he will never
>>>>> know since s/he is possibly no longer monitoring things.
>>>>>
>>>>> A credential can be abused by an external person, that can be the
>>>>> beginning of much troubles we can not all imagine (hackers do)... With
>>>>> security holes you never know, until it bites you, so I really wonder
>>>>> why a committer account can not be terminated?
>>>>>
>>>> A committer account on its own can do very little in the way of harm.
>>>>
>>>> It can (if you know which hoops to jump through) get shell access to
>>>> people.a.o and it can send e-mail from an @apache.org e-mail address.
>>>>
>>>> people.a.o is locked down (and infra has additional monitoring in place)
>>>> so the risk here is sufficiently small infra is happy with it.
>>>>
>>>> It terms of sending e-mail via an @apache.org e-mail address, if it is
>>>> abusive (i.e. spammy) then we do rely on folks reporting it to us.
>>>>
>>>> The PMC is responsible for granting (and revoking) commit access. There
>>>> is nothing (of a technical nature - you'll have to answer to the board
>>>> and your community for the social aspects) stopping you removing
>>>> inactive committers from the appropriate LDAP group(s).
>>>>
>>>> I'd add that the PMC is responsible for reviewing all the commits made
>>>> to the PMC's repositories. You are expected to spot if a long inactive
>>>> committer suddenly starts making changes or an account you don't
>>>> recognise makes changes. Likewise, active committers are expected to
>>>> spot changes in their name they did not make.
>>>>
>>>> More generally, if infra has a security concern we shut stuff down
>>>> and/or lock accounts first and ask questions later. Any security
>>>> concerns should be reported immediately to root@apache.org
>>>>
>>>> Finally, infra periodically enforces password resets for all committers.
>>>> This has the helpful side-effect of effectively locking unused committer
>>>> accounts.
>>>>
>>>> Mark
>>>>
>>>>
>>>>
>>
>>
>
Re: Why are committers accounts never terminated?
Posted by Pierre Smits <pi...@gmail.com>.
Ron,
I suspect the ASF has the tools/solutions regarding those processes to the
PMC.
Best regards,
Pierre Smits
*ORRTIZ.COM <http://www.orrtiz.com>*
Services & Solutions for Cloud-
Based Manufacturing, Professional
Services and Retail & Trade
http://www.orrtiz.com
On Thu, Mar 12, 2015 at 2:26 PM, Ron Wheeler <rwheeler@artifact-software.com
> wrote:
> I thought that we were talking about removing accounts not erasing past
> contributors from all history of the project.
>
> Is there some great difficulty to adding a committer with the right privs?
> How much karma is encapsulated in the actual account?
>
> Getting rid of unused accounts seems to be a common recommendation for
> improving security.
>
> Having an up-to-date list of voters would probably help to clarify the
> results of votes for releases, etc.
> Turning 20% of the eligible voters into 80% by cleaning the enumeration
> list, makes it easier to explain why a release vote was accepted.
>
> Ron
>
> On 12/03/2015 9:15 AM, Jake Farrell wrote:
>
>> Hi Pierre
>> merit and karma are earned and should not be taken away. If we where to
>> remove karma for services and then someone came back how would we track
>> what their previous permissions had been, this would leave no guarantee
>> that they would have the same permissions they had when they initially
>> stepped away for whatever reason.
>>
>> -Jake
>>
>> On Thu, Mar 12, 2015 at 9:09 AM, Pierre Smits <pi...@gmail.com>
>> wrote:
>>
>> I apparently only replied to Jaques. See that message below.
>>>
>>>
>>> Pierre Smits
>>>
>>> *ORRTIZ.COM <http://www.orrtiz.com>*
>>> Services & Solutions for Cloud-
>>> Based Manufacturing, Professional
>>> Services and Retail & Trade
>>> http://www.orrtiz.com
>>>
>>> ---------- Forwarded message ----------
>>> From: Pierre Smits <pi...@gmail.com>
>>> Date: Thu, Mar 12, 2015 at 1:15 PM
>>> Subject: Re: Why are committers accounts never terminated?
>>> To: Jacques Le Roux <ja...@les7arts.com>
>>>
>>>
>>> When committers resign on their own accord (for whatever reason) their
>>> permissions for the tools of the project (JIRA, CONFLUENCE, SVN, etc)
>>> should be revoked. When they want to be active again, this can easily be
>>> facilitated.
>>>
>>> Best regards,
>>>
>>> Pierre Smits
>>>
>>> *ORRTIZ.COM <http://www.orrtiz.com>*
>>>
>>> Services & Solutions for Cloud-
>>> Based Manufacturing, Professional
>>> Services and Retail & Trade
>>> http://www.orrtiz.com
>>>
>>> On Thu, Mar 12, 2015 at 1:11 PM, Jacques Le Roux <
>>> jacques.le.roux@les7arts.com> wrote:
>>>
>>> Thanks Mark,
>>>>
>>>> It's quite clear
>>>>
>>>> Jacques
>>>>
>>>> Le 12/03/2015 11:59, Mark Thomas a écrit :
>>>>
>>>> On 12/03/2015 09:50, Jacques Le Roux wrote:
>>>>
>>>>> Hi Infra Team and All,
>>>>>>
>>>>>> I have a question I wonder for some time and recently discussed in our
>>>>>> OFBiz PMC ML.
>>>>>>
>>>>>> Committers come and go. When a PMC member resign, because s/he clearly
>>>>>> wants to stop helping on the project and want to be completely
>>>>>> disconnect from it, her/his committer account remains active. I wonder
>>>>>> if this is not an useless security hole. Same for no longer active
>>>>>> committers. The difference with an active committer is s/he will never
>>>>>> know since s/he is possibly no longer monitoring things.
>>>>>>
>>>>>> A credential can be abused by an external person, that can be the
>>>>>> beginning of much troubles we can not all imagine (hackers do)... With
>>>>>> security holes you never know, until it bites you, so I really wonder
>>>>>> why a committer account can not be terminated?
>>>>>>
>>>>>> A committer account on its own can do very little in the way of harm.
>>>>>
>>>>> It can (if you know which hoops to jump through) get shell access to
>>>>> people.a.o and it can send e-mail from an @apache.org e-mail address.
>>>>>
>>>>> people.a.o is locked down (and infra has additional monitoring in
>>>>> place)
>>>>> so the risk here is sufficiently small infra is happy with it.
>>>>>
>>>>> It terms of sending e-mail via an @apache.org e-mail address, if it is
>>>>> abusive (i.e. spammy) then we do rely on folks reporting it to us.
>>>>>
>>>>> The PMC is responsible for granting (and revoking) commit access. There
>>>>> is nothing (of a technical nature - you'll have to answer to the board
>>>>> and your community for the social aspects) stopping you removing
>>>>> inactive committers from the appropriate LDAP group(s).
>>>>>
>>>>> I'd add that the PMC is responsible for reviewing all the commits made
>>>>> to the PMC's repositories. You are expected to spot if a long inactive
>>>>> committer suddenly starts making changes or an account you don't
>>>>> recognise makes changes. Likewise, active committers are expected to
>>>>> spot changes in their name they did not make.
>>>>>
>>>>> More generally, if infra has a security concern we shut stuff down
>>>>> and/or lock accounts first and ask questions later. Any security
>>>>> concerns should be reported immediately to root@apache.org
>>>>>
>>>>> Finally, infra periodically enforces password resets for all
>>>>> committers.
>>>>> This has the helpful side-effect of effectively locking unused
>>>>> committer
>>>>> accounts.
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>
> --
> Ron Wheeler
> President
> Artifact Software Inc
> email: rwheeler@artifact-software.com
> skype: ronaldmwheeler
> phone: 866-970-2435, ext 102
>
>
Re: Why are committers accounts never terminated?
Posted by Pierre Smits <pi...@gmail.com>.
We're not even talking about removing accounts. That is at ASF level. But
we're talking about revoking permissions.
Best regards,
Pierre Smits
*ORRTIZ.COM <http://www.orrtiz.com>*
Services & Solutions for Cloud-
Based Manufacturing, Professional
Services and Retail & Trade
http://www.orrtiz.com
On Thu, Mar 12, 2015 at 2:26 PM, Ron Wheeler <rwheeler@artifact-software.com
> wrote:
> I thought that we were talking about removing accounts not erasing past
> contributors from all history of the project.
>
> Is there some great difficulty to adding a committer with the right privs?
> How much karma is encapsulated in the actual account?
>
> Getting rid of unused accounts seems to be a common recommendation for
> improving security.
>
> Having an up-to-date list of voters would probably help to clarify the
> results of votes for releases, etc.
> Turning 20% of the eligible voters into 80% by cleaning the enumeration
> list, makes it easier to explain why a release vote was accepted.
>
> Ron
>
> On 12/03/2015 9:15 AM, Jake Farrell wrote:
>
>> Hi Pierre
>> merit and karma are earned and should not be taken away. If we where to
>> remove karma for services and then someone came back how would we track
>> what their previous permissions had been, this would leave no guarantee
>> that they would have the same permissions they had when they initially
>> stepped away for whatever reason.
>>
>> -Jake
>>
>> On Thu, Mar 12, 2015 at 9:09 AM, Pierre Smits <pi...@gmail.com>
>> wrote:
>>
>> I apparently only replied to Jaques. See that message below.
>>>
>>>
>>> Pierre Smits
>>>
>>> *ORRTIZ.COM <http://www.orrtiz.com>*
>>> Services & Solutions for Cloud-
>>> Based Manufacturing, Professional
>>> Services and Retail & Trade
>>> http://www.orrtiz.com
>>>
>>> ---------- Forwarded message ----------
>>> From: Pierre Smits <pi...@gmail.com>
>>> Date: Thu, Mar 12, 2015 at 1:15 PM
>>> Subject: Re: Why are committers accounts never terminated?
>>> To: Jacques Le Roux <ja...@les7arts.com>
>>>
>>>
>>> When committers resign on their own accord (for whatever reason) their
>>> permissions for the tools of the project (JIRA, CONFLUENCE, SVN, etc)
>>> should be revoked. When they want to be active again, this can easily be
>>> facilitated.
>>>
>>> Best regards,
>>>
>>> Pierre Smits
>>>
>>> *ORRTIZ.COM <http://www.orrtiz.com>*
>>>
>>> Services & Solutions for Cloud-
>>> Based Manufacturing, Professional
>>> Services and Retail & Trade
>>> http://www.orrtiz.com
>>>
>>> On Thu, Mar 12, 2015 at 1:11 PM, Jacques Le Roux <
>>> jacques.le.roux@les7arts.com> wrote:
>>>
>>> Thanks Mark,
>>>>
>>>> It's quite clear
>>>>
>>>> Jacques
>>>>
>>>> Le 12/03/2015 11:59, Mark Thomas a écrit :
>>>>
>>>> On 12/03/2015 09:50, Jacques Le Roux wrote:
>>>>
>>>>> Hi Infra Team and All,
>>>>>>
>>>>>> I have a question I wonder for some time and recently discussed in our
>>>>>> OFBiz PMC ML.
>>>>>>
>>>>>> Committers come and go. When a PMC member resign, because s/he clearly
>>>>>> wants to stop helping on the project and want to be completely
>>>>>> disconnect from it, her/his committer account remains active. I wonder
>>>>>> if this is not an useless security hole. Same for no longer active
>>>>>> committers. The difference with an active committer is s/he will never
>>>>>> know since s/he is possibly no longer monitoring things.
>>>>>>
>>>>>> A credential can be abused by an external person, that can be the
>>>>>> beginning of much troubles we can not all imagine (hackers do)... With
>>>>>> security holes you never know, until it bites you, so I really wonder
>>>>>> why a committer account can not be terminated?
>>>>>>
>>>>>> A committer account on its own can do very little in the way of harm.
>>>>>
>>>>> It can (if you know which hoops to jump through) get shell access to
>>>>> people.a.o and it can send e-mail from an @apache.org e-mail address.
>>>>>
>>>>> people.a.o is locked down (and infra has additional monitoring in
>>>>> place)
>>>>> so the risk here is sufficiently small infra is happy with it.
>>>>>
>>>>> It terms of sending e-mail via an @apache.org e-mail address, if it is
>>>>> abusive (i.e. spammy) then we do rely on folks reporting it to us.
>>>>>
>>>>> The PMC is responsible for granting (and revoking) commit access. There
>>>>> is nothing (of a technical nature - you'll have to answer to the board
>>>>> and your community for the social aspects) stopping you removing
>>>>> inactive committers from the appropriate LDAP group(s).
>>>>>
>>>>> I'd add that the PMC is responsible for reviewing all the commits made
>>>>> to the PMC's repositories. You are expected to spot if a long inactive
>>>>> committer suddenly starts making changes or an account you don't
>>>>> recognise makes changes. Likewise, active committers are expected to
>>>>> spot changes in their name they did not make.
>>>>>
>>>>> More generally, if infra has a security concern we shut stuff down
>>>>> and/or lock accounts first and ask questions later. Any security
>>>>> concerns should be reported immediately to root@apache.org
>>>>>
>>>>> Finally, infra periodically enforces password resets for all
>>>>> committers.
>>>>> This has the helpful side-effect of effectively locking unused
>>>>> committer
>>>>> accounts.
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>
> --
> Ron Wheeler
> President
> Artifact Software Inc
> email: rwheeler@artifact-software.com
> skype: ronaldmwheeler
> phone: 866-970-2435, ext 102
>
>
Re: Why are committers accounts never terminated?
Posted by Ron Wheeler <rw...@artifact-software.com>.
I thought that we were talking about removing accounts not erasing past
contributors from all history of the project.
Is there some great difficulty to adding a committer with the right privs?
How much karma is encapsulated in the actual account?
Getting rid of unused accounts seems to be a common recommendation for
improving security.
Having an up-to-date list of voters would probably help to clarify the
results of votes for releases, etc.
Turning 20% of the eligible voters into 80% by cleaning the enumeration
list, makes it easier to explain why a release vote was accepted.
Ron
On 12/03/2015 9:15 AM, Jake Farrell wrote:
> Hi Pierre
> merit and karma are earned and should not be taken away. If we where to
> remove karma for services and then someone came back how would we track
> what their previous permissions had been, this would leave no guarantee
> that they would have the same permissions they had when they initially
> stepped away for whatever reason.
>
> -Jake
>
> On Thu, Mar 12, 2015 at 9:09 AM, Pierre Smits <pi...@gmail.com>
> wrote:
>
>> I apparently only replied to Jaques. See that message below.
>>
>>
>> Pierre Smits
>>
>> *ORRTIZ.COM <http://www.orrtiz.com>*
>> Services & Solutions for Cloud-
>> Based Manufacturing, Professional
>> Services and Retail & Trade
>> http://www.orrtiz.com
>>
>> ---------- Forwarded message ----------
>> From: Pierre Smits <pi...@gmail.com>
>> Date: Thu, Mar 12, 2015 at 1:15 PM
>> Subject: Re: Why are committers accounts never terminated?
>> To: Jacques Le Roux <ja...@les7arts.com>
>>
>>
>> When committers resign on their own accord (for whatever reason) their
>> permissions for the tools of the project (JIRA, CONFLUENCE, SVN, etc)
>> should be revoked. When they want to be active again, this can easily be
>> facilitated.
>>
>> Best regards,
>>
>> Pierre Smits
>>
>> *ORRTIZ.COM <http://www.orrtiz.com>*
>> Services & Solutions for Cloud-
>> Based Manufacturing, Professional
>> Services and Retail & Trade
>> http://www.orrtiz.com
>>
>> On Thu, Mar 12, 2015 at 1:11 PM, Jacques Le Roux <
>> jacques.le.roux@les7arts.com> wrote:
>>
>>> Thanks Mark,
>>>
>>> It's quite clear
>>>
>>> Jacques
>>>
>>> Le 12/03/2015 11:59, Mark Thomas a écrit :
>>>
>>> On 12/03/2015 09:50, Jacques Le Roux wrote:
>>>>> Hi Infra Team and All,
>>>>>
>>>>> I have a question I wonder for some time and recently discussed in our
>>>>> OFBiz PMC ML.
>>>>>
>>>>> Committers come and go. When a PMC member resign, because s/he clearly
>>>>> wants to stop helping on the project and want to be completely
>>>>> disconnect from it, her/his committer account remains active. I wonder
>>>>> if this is not an useless security hole. Same for no longer active
>>>>> committers. The difference with an active committer is s/he will never
>>>>> know since s/he is possibly no longer monitoring things.
>>>>>
>>>>> A credential can be abused by an external person, that can be the
>>>>> beginning of much troubles we can not all imagine (hackers do)... With
>>>>> security holes you never know, until it bites you, so I really wonder
>>>>> why a committer account can not be terminated?
>>>>>
>>>> A committer account on its own can do very little in the way of harm.
>>>>
>>>> It can (if you know which hoops to jump through) get shell access to
>>>> people.a.o and it can send e-mail from an @apache.org e-mail address.
>>>>
>>>> people.a.o is locked down (and infra has additional monitoring in place)
>>>> so the risk here is sufficiently small infra is happy with it.
>>>>
>>>> It terms of sending e-mail via an @apache.org e-mail address, if it is
>>>> abusive (i.e. spammy) then we do rely on folks reporting it to us.
>>>>
>>>> The PMC is responsible for granting (and revoking) commit access. There
>>>> is nothing (of a technical nature - you'll have to answer to the board
>>>> and your community for the social aspects) stopping you removing
>>>> inactive committers from the appropriate LDAP group(s).
>>>>
>>>> I'd add that the PMC is responsible for reviewing all the commits made
>>>> to the PMC's repositories. You are expected to spot if a long inactive
>>>> committer suddenly starts making changes or an account you don't
>>>> recognise makes changes. Likewise, active committers are expected to
>>>> spot changes in their name they did not make.
>>>>
>>>> More generally, if infra has a security concern we shut stuff down
>>>> and/or lock accounts first and ask questions later. Any security
>>>> concerns should be reported immediately to root@apache.org
>>>>
>>>> Finally, infra periodically enforces password resets for all committers.
>>>> This has the helpful side-effect of effectively locking unused committer
>>>> accounts.
>>>>
>>>> Mark
>>>>
>>>>
>>>>
>>
--
Ron Wheeler
President
Artifact Software Inc
email: rwheeler@artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102
Re: Why are committers accounts never terminated?
Posted by Jake Farrell <jf...@apache.org>.
Hi Pierre
merit and karma are earned and should not be taken away. If we where to
remove karma for services and then someone came back how would we track
what their previous permissions had been, this would leave no guarantee
that they would have the same permissions they had when they initially
stepped away for whatever reason.
-Jake
On Thu, Mar 12, 2015 at 9:09 AM, Pierre Smits <pi...@gmail.com>
wrote:
> I apparently only replied to Jaques. See that message below.
>
>
> Pierre Smits
>
> *ORRTIZ.COM <http://www.orrtiz.com>*
> Services & Solutions for Cloud-
> Based Manufacturing, Professional
> Services and Retail & Trade
> http://www.orrtiz.com
>
> ---------- Forwarded message ----------
> From: Pierre Smits <pi...@gmail.com>
> Date: Thu, Mar 12, 2015 at 1:15 PM
> Subject: Re: Why are committers accounts never terminated?
> To: Jacques Le Roux <ja...@les7arts.com>
>
>
> When committers resign on their own accord (for whatever reason) their
> permissions for the tools of the project (JIRA, CONFLUENCE, SVN, etc)
> should be revoked. When they want to be active again, this can easily be
> facilitated.
>
> Best regards,
>
> Pierre Smits
>
> *ORRTIZ.COM <http://www.orrtiz.com>*
> Services & Solutions for Cloud-
> Based Manufacturing, Professional
> Services and Retail & Trade
> http://www.orrtiz.com
>
> On Thu, Mar 12, 2015 at 1:11 PM, Jacques Le Roux <
> jacques.le.roux@les7arts.com> wrote:
>
>> Thanks Mark,
>>
>> It's quite clear
>>
>> Jacques
>>
>> Le 12/03/2015 11:59, Mark Thomas a écrit :
>>
>> On 12/03/2015 09:50, Jacques Le Roux wrote:
>>>
>>>> Hi Infra Team and All,
>>>>
>>>> I have a question I wonder for some time and recently discussed in our
>>>> OFBiz PMC ML.
>>>>
>>>> Committers come and go. When a PMC member resign, because s/he clearly
>>>> wants to stop helping on the project and want to be completely
>>>> disconnect from it, her/his committer account remains active. I wonder
>>>> if this is not an useless security hole. Same for no longer active
>>>> committers. The difference with an active committer is s/he will never
>>>> know since s/he is possibly no longer monitoring things.
>>>>
>>>> A credential can be abused by an external person, that can be the
>>>> beginning of much troubles we can not all imagine (hackers do)... With
>>>> security holes you never know, until it bites you, so I really wonder
>>>> why a committer account can not be terminated?
>>>>
>>> A committer account on its own can do very little in the way of harm.
>>>
>>> It can (if you know which hoops to jump through) get shell access to
>>> people.a.o and it can send e-mail from an @apache.org e-mail address.
>>>
>>> people.a.o is locked down (and infra has additional monitoring in place)
>>> so the risk here is sufficiently small infra is happy with it.
>>>
>>> It terms of sending e-mail via an @apache.org e-mail address, if it is
>>> abusive (i.e. spammy) then we do rely on folks reporting it to us.
>>>
>>> The PMC is responsible for granting (and revoking) commit access. There
>>> is nothing (of a technical nature - you'll have to answer to the board
>>> and your community for the social aspects) stopping you removing
>>> inactive committers from the appropriate LDAP group(s).
>>>
>>> I'd add that the PMC is responsible for reviewing all the commits made
>>> to the PMC's repositories. You are expected to spot if a long inactive
>>> committer suddenly starts making changes or an account you don't
>>> recognise makes changes. Likewise, active committers are expected to
>>> spot changes in their name they did not make.
>>>
>>> More generally, if infra has a security concern we shut stuff down
>>> and/or lock accounts first and ask questions later. Any security
>>> concerns should be reported immediately to root@apache.org
>>>
>>> Finally, infra periodically enforces password resets for all committers.
>>> This has the helpful side-effect of effectively locking unused committer
>>> accounts.
>>>
>>> Mark
>>>
>>>
>>>
>
>
Re: Why are committers accounts never terminated?
Posted by Jacques Le Roux <ja...@les7arts.com>.
Thanks Mark,
It's quite clear
Jacques
Le 12/03/2015 11:59, Mark Thomas a écrit :
> On 12/03/2015 09:50, Jacques Le Roux wrote:
>> Hi Infra Team and All,
>>
>> I have a question I wonder for some time and recently discussed in our
>> OFBiz PMC ML.
>>
>> Committers come and go. When a PMC member resign, because s/he clearly
>> wants to stop helping on the project and want to be completely
>> disconnect from it, her/his committer account remains active. I wonder
>> if this is not an useless security hole. Same for no longer active
>> committers. The difference with an active committer is s/he will never
>> know since s/he is possibly no longer monitoring things.
>>
>> A credential can be abused by an external person, that can be the
>> beginning of much troubles we can not all imagine (hackers do)... With
>> security holes you never know, until it bites you, so I really wonder
>> why a committer account can not be terminated?
> A committer account on its own can do very little in the way of harm.
>
> It can (if you know which hoops to jump through) get shell access to
> people.a.o and it can send e-mail from an @apache.org e-mail address.
>
> people.a.o is locked down (and infra has additional monitoring in place)
> so the risk here is sufficiently small infra is happy with it.
>
> It terms of sending e-mail via an @apache.org e-mail address, if it is
> abusive (i.e. spammy) then we do rely on folks reporting it to us.
>
> The PMC is responsible for granting (and revoking) commit access. There
> is nothing (of a technical nature - you'll have to answer to the board
> and your community for the social aspects) stopping you removing
> inactive committers from the appropriate LDAP group(s).
>
> I'd add that the PMC is responsible for reviewing all the commits made
> to the PMC's repositories. You are expected to spot if a long inactive
> committer suddenly starts making changes or an account you don't
> recognise makes changes. Likewise, active committers are expected to
> spot changes in their name they did not make.
>
> More generally, if infra has a security concern we shut stuff down
> and/or lock accounts first and ask questions later. Any security
> concerns should be reported immediately to root@apache.org
>
> Finally, infra periodically enforces password resets for all committers.
> This has the helpful side-effect of effectively locking unused committer
> accounts.
>
> Mark
>
>
Re: Why are committers accounts never terminated?
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
I would liked to add to Mark's answer that just because a volunteer steps away, they still have the merit and karma they earned. Life sometimes gets in the way but we want volunteers to be able to step back into things. I have also never heard of anyone misusing karma granted on return.
So I would think it extraordinary to remove commit access. You never know when they might be back or another tlp takes their interest.
They could lose there credentials which Mark has covered but otherwise I hope I have explained more of the ideology behind they why.
Regards,
KAM
On March 12, 2015 6:59:57 AM EDT, Mark Thomas <ma...@apache.org> wrote:
>On 12/03/2015 09:50, Jacques Le Roux wrote:
>> Hi Infra Team and All,
>>
>> I really wonder
>> why a committer account can not be terminated?
Re: Why are committers accounts never terminated?
Posted by Mark Thomas <ma...@apache.org>.
On 12/03/2015 09:50, Jacques Le Roux wrote:
> Hi Infra Team and All,
>
> I have a question I wonder for some time and recently discussed in our
> OFBiz PMC ML.
>
> Committers come and go. When a PMC member resign, because s/he clearly
> wants to stop helping on the project and want to be completely
> disconnect from it, her/his committer account remains active. I wonder
> if this is not an useless security hole. Same for no longer active
> committers. The difference with an active committer is s/he will never
> know since s/he is possibly no longer monitoring things.
>
> A credential can be abused by an external person, that can be the
> beginning of much troubles we can not all imagine (hackers do)... With
> security holes you never know, until it bites you, so I really wonder
> why a committer account can not be terminated?
A committer account on its own can do very little in the way of harm.
It can (if you know which hoops to jump through) get shell access to
people.a.o and it can send e-mail from an @apache.org e-mail address.
people.a.o is locked down (and infra has additional monitoring in place)
so the risk here is sufficiently small infra is happy with it.
It terms of sending e-mail via an @apache.org e-mail address, if it is
abusive (i.e. spammy) then we do rely on folks reporting it to us.
The PMC is responsible for granting (and revoking) commit access. There
is nothing (of a technical nature - you'll have to answer to the board
and your community for the social aspects) stopping you removing
inactive committers from the appropriate LDAP group(s).
I'd add that the PMC is responsible for reviewing all the commits made
to the PMC's repositories. You are expected to spot if a long inactive
committer suddenly starts making changes or an account you don't
recognise makes changes. Likewise, active committers are expected to
spot changes in their name they did not make.
More generally, if infra has a security concern we shut stuff down
and/or lock accounts first and ask questions later. Any security
concerns should be reported immediately to root@apache.org
Finally, infra periodically enforces password resets for all committers.
This has the helpful side-effect of effectively locking unused committer
accounts.
Mark