Changes to the USACE organization #2
Replies: 5 comments 13 replies
-
cc - everyone @jwellard @g0pdwmkf @rcozmyer @clinch-tyler @allenavance @FHanbali @zelbah @lucasb16-exe @CWBISAST @jds999 @hekelud @SAMease @JimGarster @ctownsen357 @RyanHutchison @Prototroid @jguevarra @cyvu37 @ajbuchanjr @eheisman @jmdegeorge @bfmorriss @adamscarberry @KevinJJackson @thill02 @marko-nedzbala @charles-p-howe @rripken @andykawabata @HenryGeorgist @zakariah1 @sambaldwin05 @Enovotny @jordan-shiloh-bah @chrisekelley @ajkennedy-HEC @heather-godbey @Brennan1994 @jeffsuperglide @barne856 @mgdenno @dennisgsmith @jmtaillon @jbkolze @gesamples @thwllms @mkoohafkan @Vin-Cento @fgarcia0128 @Streudal @aabraham-bah @maxmc2234BAH @rcoffey-bah @brooks-charles @FlowMatric @rgoss @krashanoff @tyler-siskar @abaghum @rnugent3 @willbreitkreutz @jonfreed2 @trietmnj @coreypell @rwolniak @ktarbet @bmulcahy @KHodgens @athomann @LSEETHALER @timbbaldwin @slawler @mavocado4 @ogdenba @MikeNeilson @ShaneMPutnam If you have any questions, please add to this thread. |
Beta Was this translation helpful? Give feedback.
-
Separate GitHub accounts for work and personal is not really recommended by GitHub (in fact the docs suggest merging accounts if you have more than one). I don't have an issue with the profile requirements per say, but I don't think they are sufficient for the security issues I presume are behind these requirements (anyone can put any email, workplace, or profile picture on their account). It also doesn't handle removing users when they leave USACE. I think an email template for org join requests that require an email sent from/to a verified USACE or other approved email account, coupled with a periodic "renewal verification" requirement or similar, would be more effective. This might even something that a GitHub organization can do as an automated response to join requests or via a GitHub action to do an email blast at renewal time. I can experiment with that on a test organization if that would be helpful. |
Beta Was this translation helpful? Give feedback.
-
I think if people want to have separate accounts that's fine, but I don't think it should be a strict requirement. Some people contribute to open-source projects on their own time, and that work is still part of their professional portfolio (and we shouldn't be dismissive of that, considering how much USACE relies on open-source software 😉). Forcing users to separate their work into multiple accounts is an unnecessary burden, especially given that one of the main purposes of GitHub organizations is to let companies manage privacy and security of their codebase independently of the user accounts associated with the organization. Account pseudonyms and lack of personal info associated with an account is not a security risk, as long as there is a formal vetting process for approving users. In fact, it makes it harder for phishers or spoofers to obtain information that could be used against the organization (or the user themselves). Requiring users to add their professional and personal information to their account bio also does not replace the need for a formal vetting process. Again, I am assuming that this policy change is motivated by security concerns. |
Beta Was this translation helpful? Give feedback.
-
Booz Allen Hamilton Internal
Hi all,
I don’t think I should be a member of the organization since I am no longer a member of CRREL/USACE as of April of last year. Please let me know if any further action is required from me.
Best,
Denzel
…________________________________
From: Will Breitkreutz ***@***.***>
Sent: Monday, October 2, 2023 3:00:41 PM
To: USACE/policies ***@***.***>
Cc: Ketter, Denzel [USA] ***@***.***>; Mention ***@***.***>
Subject: [External] Re: [USACE/policies] Changes to the USACE organization (Discussion #2)
Totally understand the comment, and there's no requirement for multiple accounts, just that to be a member of the org, the profile must be configured based on the guidance above.
—
Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https://github.com/orgs/USACE/discussions/2*discussioncomment-7168554__;Iw!!May37g!IZL-wSpLTuFiU2jNkoseRo4dRVc2KUMyPoVkXNTvsOafVwvi8JSwyOsKWFJIqXOCiJpEmeyiXOC0JzNOj9bNSvDf9w$>, or unsubscribe<https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AWECGM7KAVJHPM7PKGHMOSDX5MFNTAVCNFSM6AAAAAA5IAGTYOVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TCNRYGU2TI__;!!May37g!IZL-wSpLTuFiU2jNkoseRo4dRVc2KUMyPoVkXNTvsOafVwvi8JSwyOsKWFJIqXOCiJpEmeyiXOC0JzNOj9bs54gWNQ$>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
I'm glad I noticed this activity, I don't put much outside of p1, but I'm newer to this ORG space. I already fell in line with most all of the requested items, enabled 2fa. |
Beta Was this translation helpful? Give feedback.
-
Hi All,
As this org is growing, we probably need to make a few changes. New member requests have been coming through with users that have blank profiles and cryptic usernames, this makes it hard to verify that we give the right users access to the org and repos/teams.
We are going to be adding some profile requirements in order to get membership to the USACE org. In addition to requiring that 2-factor auth be turned on, we will start looking for the following attributes of users profiles:
Note that if you do not want to mix your work and personal profile, we recommend you create a separate account tied to your work e-mail address and use that for USACE projects.
We have removed any accounts that either have no commit activity or haven't had any since 2019. If that affected anyone that you know of, they are welcome to request access again.
We will be implementing the requirements for profile information and 2FA on 6-October-2023 so you have a little time to implement the settings.
Thanks for bearing with us, this will make life easier for participants in the USACE organization.
-Will (and Randy and Lyle and Joel)
Beta Was this translation helpful? Give feedback.
All reactions