Initial write-up for member audit #100

RRosio · 2025-03-25T18:05:35Z

No description provided.

manics · 2025-03-27T15:32:18Z

I think this makes sense. JupyterHub kind-of has a policy for following up on inactive members, though I can't remember the last time we followed it: https://jupyterhub-team-compass.readthedocs.io/en/latest/practices/check-ins.html

What might be worth doing in this policy is emphasizing that GitHub privileges are not a reflection of project membership or status within that project. Traditionally it's been seen that way, but from a security perspective you might be one of the most important/influential people in a project, but if your role doesn't require GitHub privileges then you shouldn't have them.

Carreau · 2025-03-27T18:13:02Z

Sorry i'm going to stay short.
I think a user can/should be able to be marked manually as active (with a reason) on any tooling.

GitHub is uppercase G and H I believe.

rpwagner · 2025-04-01T22:32:56Z

This is looking good. Let's make the first goal to get this to into this repo and communicate it. Next, I'd like to propose a subsecurity section in the governance documents under Organizational Policy.

Learning from this and the 2FA implementation, we can probably draft a short guide on how to propose, decide, communicate, and implement future security policies.

dlqqq

@RRosio Thank you for putting this together! This is a great first start. We can make more revisions later. Just one minor comment worth addressing here. 🤗

dlqqq · 2025-04-03T15:29:23Z

docs/member-auditing.md

+
+## Reinstatement of Access
+
+If a member's privileges are adjusted due to inactivity, they can be reinstated upon request. Our goal is to maintain security without hindering future contributions.


As a reader, it's unclear how I should reach out to the Security Council to reinstate my access privileges. We should probably suggest a way to contact us here, for example:

Suggested change

If a member's privileges are adjusted due to inactivity, they can be reinstated upon request. Our goal is to maintain security without hindering future contributions.

If a member's privileges are adjusted due to inactivity, they can be reinstated on request via email to `[email protected]`. Our goal is to maintain security without hindering future contributions.

Should this be handled via the subproject instead of the central security email?

Yes! This isn't about a security vulnerability so having it go to the mailing list is better--and more likely to be seen.

Perhaps! This ambiguity is exactly why I think we should document it here first. 😁

initial writeup

5d62f79

RRosio added 3 commits April 1, 2025 08:51

update GitHub name uppercase

a93f8cb

clarify membership

131fde5

clear up wording

d08d925

Carreau mentioned this pull request Apr 2, 2025

Audit Jupyter Project Organization Members #99

Open

dlqqq requested changes Apr 3, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Initial write-up for member audit #100

Initial write-up for member audit #100

RRosio commented Mar 25, 2025

manics commented Mar 27, 2025

Carreau commented Mar 27, 2025

rpwagner commented Apr 1, 2025

dlqqq left a comment

dlqqq Apr 3, 2025

manics Apr 3, 2025

rpwagner Apr 3, 2025

dlqqq Apr 3, 2025


		## Reinstatement of Access

		If a member's privileges are adjusted due to inactivity, they can be reinstated upon request. Our goal is to maintain security without hindering future contributions.

Initial write-up for member audit #100

Are you sure you want to change the base?

Initial write-up for member audit #100

Conversation

RRosio commented Mar 25, 2025

manics commented Mar 27, 2025

Carreau commented Mar 27, 2025

rpwagner commented Apr 1, 2025

dlqqq left a comment

Choose a reason for hiding this comment

dlqqq Apr 3, 2025

Choose a reason for hiding this comment

manics Apr 3, 2025

Choose a reason for hiding this comment

rpwagner Apr 3, 2025

Choose a reason for hiding this comment

dlqqq Apr 3, 2025

Choose a reason for hiding this comment