gradle / plugin-portal-requests

Gradle Plugin Portal issues and requests.
https://plugins.gradle.org/
12 stars 8 forks source link

Add organization accounts #16

Open martinbonnin opened 4 years ago

martinbonnin commented 4 years ago

Can we have "organization" accounts, similar to github organizations that could maintain a list of developers with:

This would allow to manage several contributors in a more flexible way than sharing an email + password.

Shuyinsama commented 4 years ago

Seconded. Another issue is that the api key and secret for that specific user cannot be refreshed/deleted/invalidated from the dashboard.

Making it possible for someone with malicious intent to alter a plugin even if you would have changed the account password.

Making this, in my opinion, a high priority issue. (Unless I am missing something)

Depending on out security officer’s decision we might remove our plugin from the Gradle repo until this is resolved. We are still looking into this since our AVG/GDPR certification does not specifically specify a scenario like this, but is definitely something we are considering.

As an example: NPM has a organization dashboard where you allow users to be added and removed. Allowing you to also revoke a users complete access.

They also use the users own username and password as verification during the publishing of a package and updates. An organizational unit can also define the required security rules, like two-factor auth to be used. I realize gradle works a bit different of course

I've asked a similar question on the forums before knowing this repo/issue existed: https://discuss.gradle.org/t/plugins-clarification-how-do-we-handle-lost-stolen-publish-key-and-secret/34532