On 2024-03-27 at 02:43:11 UTC-0400 (Wed, 27 Mar 2024 15:43:11 +0900) Bryan Ellis <security-discuss@community.apache.org> is rumored to have said:
> Could the security team provide guidance on whether utilizing third-party > services like 1Password for password management is acceptable? 1Password specifically is problematic because they no longer support any mechanism for sharing vaults other than through their proprietary service and using their proprietary client. An alternative would be to use an open-source password manager like Bitwarden or just a vault format like KDBX or PasswordSafe that could be shared via ASF infrastructure using ASF access controls. > I've noticed several projects already adopting it, but I couldn't find any > documentation clarifying whether third-party services are deemed acceptable > or not. I am a contributor to the ASF SpamAssassin project, which relies on some donated commercial services, most visibly DNS for spamassassin.org but also non-trivial performance feedback and public data mirroring. I don't believe that has ever been deemed a problem, although they do make us dependent on a small group of commercial partners, in aggregate (i.e. not on a single service provider but on some competent set of them.) Being reliant on a single specific third party for access control to project resources seems somewhat different qualitatively. However, I don't believe there's any explicit ASF-wide policy on whether such a service can be used. > In our project scenario, we manage a handful of accounts, most of which > require OTP (one-time passwords). Leveraging password managers like > 1Password enables us to share OTPs easily. Without a password manager, in > some cases, I would have to wait for an individual to log in to fetch the > OTP from their Authenticator app or even from a text message to their > phone. This could become problematic if the person becomes inactive or goes > on vacation. Having used 1Password myself until their latest rent-seeking major update, I do not think it is the best choice of a PM for an ASF project, but I also recognize my bias and think that this needs to be a project-level choice so: you do you. PMC members have a better understanding of their specific project needs and risks than any central policy on 3rd-party services could address. > The access to the password manager would only be given to Project > Management Committee (PMC) members who requested it. > > I've created a 1Password Team account but am currently waiting to see what > the security team's stance is on using such services before I upload any > information. I should note that I speak only for myself as an interested ASF member and contributor. I have no security role at the foundation level. Ignore me freely.
signature.asc
Description: OpenPGP digital signature