- Issue created by @cmlara
- ๐บ๐ธUnited States dww
In principle, +1 to being able to validate that people are people. But huge -1 to this specific proposal. It would mean only people with the privilege and resources to travel for in person events could be vetted. That seems like a non-starter to me.
- ๐บ๐ธUnited States greggles Denver, Colorado, USA
Is this for "Git vetted user" or membership in (and the role) of "security team" ?
I think this is an important risk for us to manage, but agree with dww we don't want undue burdens in the way of contributing.
- ๐บ๐ธUnited States cmlara
Is this for "Git vetted user" or membership in (and the role) of "security team" ?
Note: this suggestion originated by another user on Slack as related to ๐ฑ [META] Increase Security of Project Ownership Transfer Process Active . I'm posting it as part of the followup of creating issues for possible solutions. It could possibly use refinement, though on initial glance the concept is in my opinion reasonable.
This is for the "Permission to opt projects into Security Coverage" permission.
On a personal note: My account currently holds this permission. Under the proposed changes I likely would not as I have not been to any Drupal Convention, user group, etc nor do I have any plans to do so in the foreseeable future. This change would make it harder for myself to obtain, though that is not necessarily bad. No one here has met me, no one know if I'm actually 20 people working together under a common identity to build up my reputation for a big attack. Given the ability that comes with this role (takeover ownership of project namespaces and the ability to obtain security vulnerability information when working to adopt modules unsupported due to an unfixed security issues) it is fair to view it as sensitive.
Personally: I could live without the permission if we de-coupled it from the ability to opt projects into security coverage and the ability to adopt modules required an additional 'identity vouched' permission.
- ๐ณ๐ดNorway gisle Norway
-1
For the record: If this proposal had been accepted prior to me receiving permission to opt projects into Security Coverage, I would probably not received it, and hence not been able to participate (at least not to the extent I have been able to participate in the community). I've never had the funds to show up at an overseas event in person to prove that I'm really me.
Also, as anyone who has watched Spike Lee's excellent BlacKkKlansman would know: Assigning identity by means of having someone show up in person is not a very secure way of establishing someone's true identity.
- ๐บ๐ธUnited States cmlara
I would imagine this would be conceptually similar to the old โweb of trustโ system where a person (ideally local) who knows and collaborates with a person over a period of time vets them out reducing the burden and limiting the travel needs.