search

supercollider / supercollider

An audio server, programming language, and IDE for sound synthesis and algorithmic composition.
http://supercollider.github.io
GNU General Public License v3.0
5.38k stars 740 forks source link

Improve security of SuperCollider org and repos #5126

Open mossheim opened 4 years ago

mossheim commented 4 years ago

Motivation

note a terminology point, there are 2 sets of permissions here: "organization level" and "repo level".

this was a topic at the last dev call. right now, there 17 people with owner-level permissions in the organization. of them, only 5 people have 2-factor authentication enabled. in addition, all 24 members of the core team have admin-level permissions to the supercollider, supercollider-language, sc3-plugins, and website repos.

owner-level organization permissions mean:

admin-level repo permissions mean:

having this many people with this kind of access on the project is a significant and unnecessary security concern. first, because not using 2FA makes one's account more vulnerable to becoming compromised. second, because changes made by people with these permission levels do not always produce notifications (for example, replacing a release artifact on a published release which could be downloaded onto thousands of systems!). third, because it increases the chances for accidents to happen. it's a disaster waiting to happen; i literally think about this when i lie awake at night :joy:

Description of Proposed Feature

for now, i'd like to propose these changes, which seem reasonable to me and will greatly increase the security of the project:

  1. convert any 'admin' level permissions for any of our organization teams to 'write'. writers can still manage issues and PRs, including merging
  2. create a post in the core team (according to GitHub, that should mean it's visible by every organization member) before doing any of the following:
    • giving someone owner-level permissions
    • revoking someone's owner-level permissions (including your own)
    • adding or removing anyone as a member in the org
    • adding or removing anyone from any team in the org
    • changing a team or person's permissions on a repo
  3. reduce the number of people with owner-level permissions in the organization to around 5
  4. require 2FA for everyone with owner-level permissions (maybe all members even?)

note that all these actions are already viewable in the organization's audit log, but this gives an extra layer of transparency.

Plan for Implementation

if there's no objections to the contrary (1) and (2) can be implemented right away and a notice sent out (to sc-dev, slack # dev, and scsynth.org).

for (3) and (4), i would just like to email everyone individually to see if they would like to keep their owner-level permissions, and if so, that they enable 2FA. anyone who does not respond and/or enable 2FA within 2 weeks will also have their permissions revoked.

forgive me this one ping please -- i feel that for the sake of transparency these people should know this conversation has been started. the people with owner level permissions currently are:

@adcxyz @brianlheim @crucialfelix @danstowell @gusano @jamshark70 @jleben @joshpar @joslloand @LFSaw @lijon @miguel-negrao @muellmusik @Sciss @scztt @sicklincoln @telephon

dvzrv commented 4 years ago

This makes a lot of sense from an organizational and from a security point of view and I very much welcome this incentive. Speaking from experience with other github organizations:

Especially in the first case the motivation behind this has been occurences such as the gentoo organization hack in 2018, which luckily did not have serious repercussions for users of the distribution (unnoticed this would have been a complete disaster though, potentially affecting thousands of systems worldwide).

What can be learned from these problems is though, that the fewer people with far-reaching access rights are in an organization, the better. IMHO people such as distribution maintainers, release managers and maintainers of widely used software should ensure, that they increase their effort in securing their access as much as possible (e.g. using 2fa hardware tokens such as nitrokey or yubikey). Failing to do so opens the door to supply chain attacks which can have far reaching and very damaging implications for thousands of people. Running an organization of this size means a lot of responsibility and I assume no one would like to get into a situation in which accidentally source code or binary content containing malware is shipped or control over the supercollider organization is lost.

dyfer commented 4 years ago

Thanks @brianlheim for bringing this up. I think the proposed changes are good. I would just suggest to increase the waiting period after you send out individual emails to maybe 4 weeks. People might be offline because of vacation or might be unreachable for variety of reasons, especially given the current state of everything.

mossheim commented 4 years ago

i don't mind adding people back if they respond past that deadline, and if they are busy with other things they shouldn't need the access anyway.

mossheim commented 4 years ago

Here's a draft of the email I intend to send for this, comments welcome. I believe I have active email addresses for everyone on the list, although I had to search a bit for @lijon (lijon at kymatica) and @sicklincoln (clicksonnil at gmail). (If either of those are wrong please let me know!)

Bits in [brackets] I will only include if the person on the other end hasn't enabled 2FA.

Subject: SuperCollider organization permissions

Hi ___,

I hope this message finds you well. This is a non-urgent message about SuperCollider. If you don't have the bandwidth to read this or respond to it, for whatever reason, feel free to respond to it later, or not at all. If you are not actively contributing to SuperCollider, or are taking a break from contributing, it will not affect you in the slightest.

I'm writing to you because you are one of the seventeen people with owner-level permissions in the SuperCollider organization [1]. In order to protect the project from security breaches, I'm attempting to introduce some stricter security policies (see [2] for background and motivation). In general, the goal is to give people only the access they need to do their work, and for those with far-reaching permissions, to improve the security of their accounts. This will help protect SuperCollider from malicious hacking including deletion of repos, loss of control of the organization, abuse of signing certificates and deployment services, and malware injection into shipped binaries; and protect us from accidental slip-ups by legitimate members of the project.

To that end, I'd like to request that you please consider whether you would be willing to switch from Owner to Member organization privileges. The primary difference between the two roles is that Owners are able to add and remove other Owners, and have Admin privileges on all repos, allowing them to transfer ownership of, make private, and delete any repo in the SuperCollider org. In contrast, Members have Write privileges on all repos, can review and merge PRs, and can update and close issues.

These are the current Member permissions for the SuperCollider organization [3]. This is a detailed breakdown of the differences among different permission levels [4].

If you wish to retain Owner privileges, I'd like to ask that you please let me know in a sentence or two what you need them for. As an example, I need these privileges to configure collaborators and admins on organization repos, to transfer repos into the organization, to archive repos, and to manage webhooks. Note that you could also change from Owner to Member while also keeping Admin privileges on specific repos within the organization.

[I'd like to also request that if you are retaining Owner privileges, to please enable two-factor authentication (2FA) [5] on your account and also consider strengthening your password. 2FA is a simple but effective security measure, used by many organizations for protecting accounts with far-reaching access, so there is no excuse not to use it for Owner privileges in SuperCollider as well.]

I am requesting these steps because they are very effective short-term measures that will improve the security of the project. In the future, time permitting, I would like to have a more nuanced discussion around permission levels and security for the organization. To that end, if you have any ideas, questions, or concerns, do feel free to leave a comment on the GitHub issue [2] or reply to me directly and I can record it there.

If I do not hear from you within two weeks[, or if in two weeks' time you have not enabled 2FA], I will assume that you do not currently want or need these permissions and change your role from Owner to Member. The reason for this initial deadline is the same as the other changes -- by default, permissions within the organization should be as restricted as possible, and expanded only if and when it is necessary to do so. This will be documented publicly as a post within the Core Team discussion space [6], and on the GitHub issue related to this [2], and an unalterable and permanent record of the change will be visible in the organization's audit log [7]. This would be a non-permanent change. If at any point you enable 2FA and wish to regain Owner permissions, you can let me and/or another Owner know; I would be happy to reinstate those permissions.

I look forward to hearing from you and to collaborating in the future.

Kind regards, Brian

[1] https://github.com/orgs/supercollider/people?query=role%3Aowner [2] https://github.com/supercollider/supercollider/issues/5126 [3] https://github.com/organizations/supercollider/settings/member_privileges [4] https://docs.github.com/en/github/setting-up-and-managing-organizations-and-teams/repository-permission-levels-for-an-organization [5] https://docs.github.com/en/github/authenticating-to-github/securing-your-account-with-two-factor-authentication-2fa [6] https://github.com/orgs/supercollider/teams/core-team [7] https://github.com/organizations/supercollider/settings/audit-log