Hi, So, after Gentoo hack, I started to look at all our teams on github, and what access does everybody have, etc, etc
And I have a few issues: - we have old repositories that are no longer used - we have team without description - we have people without 2FA who are admins of some team - github make this kind of audit really difficult without scripting (and the API is not stable yet for teams) So I would propose the following rules, and apply them in 1 or 2 weeks time. For projects: - archives all old projects, aka, ones that got no commit since 2 years, unless people give a reason for the project to stay unarchived. Being archived do not remove it, it just hide it by default and set it readonly. It can be reverted without trouble. See https://help.github.com/articles/archiving-a-github-repository/ - remove project who never started ("vagrant" is one example, there is only one readme file). For teams: - if you are admin of a team, you have to turn on 2FA on your account. - if you are admin of the github org, you have to turn 2FA. - if a team no longer have a purpose (for example, all repos got archived or removed), it will be removed. - add a description in every team, that tell what kind of access does it give. This would permit to get a bit more clarity and security. -- Michael Scherer Sysadmin, Community Infrastructure and Platform, OSAS
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Gluster-infra mailing list Gluster-infra@gluster.org http://lists.gluster.org/mailman/listinfo/gluster-infra
