New repo for Security SIG #387
Labels
No labels
Backlog Status
Needs Review
Backlog Status
Ready
Chore
points
01
points
02
points
03
points
05
points
08
points
13
Priority
High
Priority
Low
Priority
Medium
Sprint Status
Blocked
Sprint Status
Done
Sprint Status
In Progress
Sprint Status
Review
Sprint Status
To Do
Technical Debt
Work Item
Bug
Work Item
Epic
Work Item
Spike
Work Item
Task
Work Item
User Story
Backlog Status
Needs Review
Backlog Status
Ready
chore
documentation
points
01
points
02
points
03
points
05
points
08
points
13
Priority
High
Priority
Low
Priority
Medium
Sprint Status
Blocked
Sprint Status
Done
Sprint Status
In Progress
Sprint Status
Review
Sprint Status
To Do
Technical Debt
Work Item
Bug
Work Item
Epic
Work Item
Spike
Work Item
Task
Work Item
User Story
No milestone
No project
5 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
forge/forge#387
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I would like to request a repo for the Security SIG [1]. We have already a Matrix channel and a Project Discussion tag (#security-sig) and ask.fedora (#security) along with a sub-SIG (Confined Users sub-SIG [2] with its own tags in Project Discussion #confined-users, ask.fedora #su-confined-users + #selinux-confined-users and a separated Matrix channel).
The Security repo would serve both the Security SIG and its sub-SIGs.
In the Security channel, it is discussed for some weeks to create new weekly security meetings: having a repo and an issue tracker would be useful for that.
When following the naming of existing forge repos, the repo name would be "security". However, in the Matrix channel the worry was mentioned that this might be confusing and lead people to post security-critical stuff in public that should remain private/secret. So "security-sig" might be more useful (we have not had such issues with the security-sig name). But in any case, I would add to the repo a comment as it is already in the wiki article [1], elaborating that this SIG operates only on public channels and does not replace RH Product Security, with the latter being the place to contact for stuff that should not yet become public.
I assume co-owners (concerning privileges) with me should be @decathorpe @q5sys @siosm @nirik (they are either involved in security SIG or confinedusers SIG), if they want to choose so.
The wiki articles of the SIG(s) are expressive:
[1] https://fedoraproject.org/wiki/SIGs/Security
[2] https://fedoraproject.org/wiki/SIGs/ConfinedUsers
If the wiki will be removed at some point, we might choose to integrate the wiki pages into the repo.
I posted this in the security channel.
I think what @py0xc3 wanted to say is:
We need a new FAS group for the SIG ("security-sig" ?) that maps to a new org on forge.fedoraproject.org ("security") with SIG group sponsors mapping to an Owners team, and SIG group members mapping to a Members team. :)
I'm happy if we can combine creating the FAS group and the repo in one ticket, if that is possible :)
I think I was a bit confused through the context in which the Docs page about this process was presented to me, and I did not follow the discussions about how to align the new Forgejo structures/means with our FAS etc, so just for my understanding: the request new org or team Docs refer solely to an organization (=group/team) within forge.fp, which then can create its repos within its org, whereas this org is neither equal nor bound to an FAS group, right?
@py0xc3 wrote in #387 (comment):
No, organization / team membership is bound to (and defined by) FAS group membership(s).
FWIW, we already have a FAS group. https://accounts.fedoraproject.org/group/security-team/
I can add anyone that needs to be added.
The namespace and the associated teams (for owners and members) have been created.
Regarding the user mapping, I see conflicting information here. @py0xc3 is suggesting cherry-picking the aforementioned individuals as sponsors for the FAS groups, while @q5sys is suggesting the use of an already existing FAS group. We WILL need to create a couple of new FAS groups, though, i.e.
forge-security-ownersfor the admins andforge-security-membersfor the members. Please discuss among yourselves and finalise which path we should take for the inclusion of the users.I think there is no conflict but just a misunderstanding. I think @q5sys idea was to re-use the "sleeping" FAS group of the dissolved Security Team in order to save some time (@q5sys correct me if you want:)
The Security Team doesn't exist for long, but in the light of the XZUtils incident we found there was a gap that was to fill. The Security SIG was the consequence, but it is not identical to the Security Team and has a different purpose. With Matthew's approval of the #security-sig Project Discussion tag and subordinated tags of the SIGs that were "merged into" the SIG, we finally ended up with a SIG with sub-SIG(s) (which I find quite flexible and useful).
On one hand, I don't care much of the FAS group (reuse old, create new one, etc). Effectively, its primary purpose is to allow us to get a repo anyway. On the other hand, reviewing this old FAS group that used to have a different purpose, I am not sure if we save time as I think a lot of "purging" might have been appropriate before reusing it. I'm not sure if we want to "impose" what the Security SIG is on those who were members of the old Security Team without informing/talking to them etc. I also see potential for confusion between Security Team and Security SIG. That said, that's minor things, and I would leave the final decision about the FAS group to the others here :) My points are made :P
Thanks @t0xic0der for creating the repo ;)
I forgot, if the consensus will be to create something new, I am not sure if the old FAS group should be deleted? It's inactive for years, and for other people, who are not yet involved with security matters/people, it is not straightforward to differentiate between Security SIG and Security Team (?) when considering how / to whom to reach out. It creates a risk for users to end up in a dead channel/address etc. Just a thought :)
I think starting with a clean slate for owners / members teams would be good. Members of the "old" group who are still active can be added if they want - but I would prefer not to add old inactive members, just from a security perspective (lost credentials?) alone - i.e. similar to what happens to inactive "packager" or "provenpackager" group members.
Cool, I am starting with requesting the creation of two FAS groups with zero relation to the pre-existing ones, as cleaning them up is beyond the scope of this migration. @ryanlerch, could you please create a
forge-security-ownersFAS group with @decathorpe, @q5sys, @siosm and @nirik (or @kevin) as both members and sponsors? Do the same with the newly createdforge-security-membersFAS group as well, and the folks here can take the liberty to decide whom to include in self-service? Thanks in advance!Oh, before I forget, I have also opened a pull request to perform the team and group mappings.
plus the one and only @py0xc3 :-)
Fedora Accounts groups created.
both teams have the following users as both sponsors and members:
The pull request has been merged.
@decathorpe, @kevin, @py0xc3, @q5sys and @q5sys, please log out and log back in to let the updated mapping take effect. From there on out, you should be able to take the namespace for a spin. Please feel free to reopen this ticket should you face issues.
@t0xic0der does it make sense to open a separate topic about deleting the old "security-team" FAS group? It's dead for a decade or so, and it still exists and links to a lot of dead channels, and at some places causes confusion and inconsistency.