Open david-a-wheeler opened 4 years ago
dankohn
commented
4 years ago The alternative, more functional capability would be to delegate trust to project admins on GitHub. Any admin would be allowed to edit the project they're admin of. Of course, that would only cover GitHub, but the vast majority of our projects are hosted there.
david-a-wheeler
commented
4 years ago One way to do this is to have a separate table of "transfers" with "/transfers" as the API resource (and controller). This is a slight overkill, but it would make API clean.
Transfers would only be valid for a period of time, say 21 days after they are created (they are deleted after that).
An alternative approach would be to store the "potential new user id" in the projects record, along with the time it was sent. In the projects edit page, there'd be a new advanced field for "Transfer ownership to user id:" that only shows to owners & admins. ONLY the current owner or admins can edit this field. If edited, it can be a user id or empty (if you delete it, that stops a transfer).
david-a-wheeler
commented
4 years ago The alternative, more functional capability would be to delegate trust to project admins on GitHub. Any admin would be allowed to edit the project they're admin of. Of course, that would only cover GitHub, but the vast majority of our projects are hosted there.
We already try to allow any admin to edit the project they're an admin of. However, GitHub does not reliably tell us when someone is an admin (!). See: https://github.com/coreinfrastructure/best-practices-badge/issues/1254
And as you noted, not everyone is on GitHub.
dankohn
commented
4 years ago Sorry, that issue doesn't illustrate what the problem is with relying on GitHub.
david-a-wheeler
commented
4 years ago The issue is that in the badging project we always want a single final owner, and we need to confirm carefully any transfers. Not all is on GitHub, and GitHub doesn't provide reliable answers last we tried.
dankohn
commented
4 years ago The alternative would be to say that we're fine with multiple owners of a project, and we're happy to outsource tracking of that ownership to GitHub (when the project decides to). Then, we'd need to figure out whether we can reliably get a list of all valid admins of a project from GitHub when someone attempts a change.
david-a-wheeler
commented
4 years ago That covers 0% of projects. It won't work on GitHub (we can't reliably get the info & we've tried in the past), and it won't work for projects not on GitHub :-). The current setup assumes exactly 1 owner; that can change, but would be more work. I was hoping for something easy-to-implement to automate a relatively rare situation :-).
dankohn
commented
4 years ago It's the "can't reliably get the info" that I'm questioning. But, I'm not volunteering to do the work to show that GitHub is reliable, so please go ahead with your approach.
david-a-wheeler
commented
4 years ago It's tricky to do the research, because things seem to work for some users & not for others when we tested this a while back. We never did figure out a pattern. I think GitHub is intentionally hiding some info, possibly due to privacy concerns. Put another way, I don't think that GitHub's database is corrupt; I just think that GitHub doesn't always tell us all it knows, for reasons we don't understand.
If we do transfers the way first proposed, then transfers will "just work" no matter what. I like "just works" :-).
We have received more ownership transfers, so now that we have more projects it's starting to make more sense to automate ownership transfers.
From a security POV:
From a simplicity POV, I think a current owner should designate a single new potential owner UID.