Closed cartersocha closed 1 year ago
@cartersocha Who'll maintain the repo, will that be @open-telemetry/sig-security-maintainers? Will the default repo setup (https://github.com/open-telemetry/community/blob/main/docs/how-to-configure-new-repository.md) work for you there, including the PR review requirements?
Yes all the usual stuff works as long as it's a private repo. Re-using sig security maintainers makes sense too. Thanks for the help
I created the repository and added @open-telemetry/sig-security-maintainers as Maintainers.
After discussing with the rest of the @open-telemetry/technical-committee, I also changed the base permission in the organization from "Read" to "No access" for private repositories. All our repositories are public except for these CVE-related ones and for them, we have explicitly defined access rather than by default opening them up to all of our ~500 org members.
This change is causing lost productivity for other repos, see https://github.com/open-telemetry/community/issues/1826
Is there an alternate approach possible?
I don't think this has been root-caused properly. @arminru 's comment says "I also changed the base permission in the organization from "Read" to "No access" for private repositories", which should not be causing the issues described for regular repos. Unless he was mistaken and GH does not allow this separation (screenshots would be helpful).
Alternative is: maybe we can avoid private repos in this org and use another org for those.
As for the ability to access (read) repositories, it doesn't make any difference for public repos (which anyone can see also without being logged in) but it does seem like the lack of explicit Read permission has the side effects reported in #1826. Let's discuss alternative approaches on our TC call tomorrow.
Sig-security is building an active incident grafana dashboard for the TC / GC to get an overview of open incidents and track their completion. We need a secure / private file store to keep the underlying csv files and run the Python data population script. Active incident information should not be available publicly.
I was able to successfully connect grafana to a csv stored in a test private repo in my personal GitHub org.
Potential repo name could be OpenTelemetry-filestore.