Rights management

[fcollonval]

Dear @jupyterlab/former-admin

Following the JupyterLab council membership check and the application of the new policy (#206), you are gonna be removed as owner of the GitHub JupyterLab organization. This will have side-effects on your rights on repositories within the organization.

Could you get in touch (like by commenting here) in case you want higher rights on some repositories within this organization or if you have any questions?

[Carreau]

I have no objections of not being an owner, nor admin, though for for security audit and opening/orchestrating CVE/GitHub Advisory it would be good to have some admin/owner of JupyterLab organisation to be take part of the security council.

I see for example that I cannot access the JupyterLab org setting anymore, so I can't make any review of who has access or if 2FA is enforced.

I cannot either open security advisories on any repo either.

I recently had to audit all orgs as a member had lost their main device and 2FA method and had to revoke their membership. This is currently not feasible.

[fcollonval]

BTW all this thread should also consider who can publish jupyterLab, I seem to be able to publish it, so I likely should be removed.

You mean by that, that you can start the publication workflow? If so, yes it is expected. But the workflow will stop with an error as it will check that the workflow caller as administration rights on the repository (what you don't have, if I'm not mistaken).

[fcollonval]

but it seems that we should make that more official than one person happening to be in both groups (I might be on vacation!). For example, instead of counting on an overlap, there is a clear protocol where security can contact the admin group with requests (i.e., security knows what group to ping, and the group as a whole is responsive to security requests).

👍 for that. But should that process be drafted by the security group in order for you to get an homogeneous practice for reaching out to subprojects?

[Carreau]

You mean by that, that you can start the publication workflow? If so, yes it is expected. But the workflow will stop with an error as it will check that the workflow caller as administration rights on the repository (what you don't have, if I'm not mistaken)

No I mean I'm also a owner of https://pypi.org/project/jupyterlab. I guess me and a few other folks should at least be downgraded from owner to maintainer, or removed altogether.

[Carreau]

👍 for that. But should that process be drafted by the security group in order for you to get an homogeneous practice for reaching out to subprojects?

Well, but that's one of the reason I (and the security group) pushed for less organisations on GitHub because with 12 orgs, that mean we need to have 12 people, each with a fall back for each of the orgs we manage. And frankly it's unwieldy to just keep informations up to date. And even after we asked for less organisations, more were created. So recommendation only go that far, and really there are many things that are such a pain to do when you have that many orgs.

[fcollonval]

No I mean I'm also a owner of https://pypi.org/project/jupyterlab. I guess me and a few other folks should at least be downgraded from owner to maintainer, or removed altogether.

This is ongoing - as it was requiring to invite people to the Jupyter PyPI org and then setup the rights for the package as well. You should now have lost your rights on PyPI.