Closed navarroaxel closed 2 years ago
I am curious: what will this account be used for? New command notifications? Team changes? Other news?
We could have tweets about:
Any updates for this.
Could also add things like general questions for TLDR features which are being discussed, such as our current conversation for having a sending off of data about peoples tldr commands. EG missing pages
The most immediate question though is who has the password for it.
Twitter together sounds like a good way to do things, so I suggest we set that up first in a new GitHub repo in the tldr-pages org and then look at developing some tooling to automatically commit new tweets.
I'd imagine the creator of TLDR
@ rprieto made tldr, but I believe @ igorshubovych made the Twitter account.
A novel idea: we could have a private https://github.com/tldr-pages/secrets repo, that's only visible to org owners (not even members), who have a long time of trust. We could store info such as passwords, keys, etc. in it. Also stuff like @tldr-bot's credentials, which I believe @agnivade has?
I agree. Org owners since others don't need that secret anyway
Or just tell the password to the people on safe messaging services. Why store it in a repo, Github has been hacked before im pretty sure
Storing it in a repository would be its history, so that we don't have to share them with new org owners all over again. There's nothing new about that idea — https://github.com/nodejs/secrets & https://github.com/nodejs/keys exist but are private.
What about cost. Does GitHub have any plans to charge for private repos again as they did in the past?
No idea, but I suspect not — why would they take it off and then put it back on? If they ever did, we could always do something like transfer it to your or my account or any member of our team that has a pro account, and add the org owners as collaborators 🤔
I don't think it's a good idea to store it in a GitHub repository. 🤔 Uploading data unencrypted is the same as giving that entity access to the data.
In other words, you aren't just creating a GitHub repository to share your passwords. You're giving both GitHub and Microsoft the password to your Twitter account.
There is no reason to do this regardless of context, large business, community project, or even an individual. GitHub is not a password manager.
If you're keen on sharing the password, I'd strongly recommend setting up an end-to-end encrypted solution at the very least.
In my opinion, the best would just be to set-up a free organization on Bitwarden for tldr pages managed by the 2 most trusted members. Then use Bitwarden Send (free end-to-end encrypted sharing) to share the password with individuals that have any reason to access the Twitter account.
Being a trusted member/owner of tldr doesn't mean you have reason to access the Twitter account. We should be following the principle of the least privilege. The only reason to ever see the password is if you are both trusted, and will actually do something with it.
only visible to org owners (not even members)
That's still too many people.
Or just tell the password to the people on safe messaging services. Why store it in a repo, Github has been hacked before im pretty sure
Strongly agree with this concern.
Edit: I'd like to clarify, since what I said may be poorly worded. There shouldn't be a need to share it with GitHub if GitHub itself will not be using it. It makes total sense to use it as a CI secret, if we'd use something like Twitter Together.
Great idea about Bitwarden there. Is there a cost to bitwarden, and do they have a program for open-source orgs to get it for free?
A Bitwarden organization for 2 people is free. (Bitwarden Send can be used to send passwords to other members securely.)
I don't think they have anything specific for open-source, but for non-profits they offer a 25% discount.
If open-source is included in that definition, I'm not sure. I can vouch the process doesn't include checking if you're a registered charity/non-profit in any jurisdiction, so I'm guessing it's case-by-case.
If this doesn't suit you, we can always explore other password managers. I just suggested Bitwarden because it's my preferred password manager, plus it's open-source.
Hrm, I'm not convinced that 2 people is really useful there @SethFalco, given that one could simply just share the password for example. We'd want to be able to support maybe ~3 to ~5 people. Still, it wouldn't hurt to drop them an email to ask?
Understood. In that case, it doesn't hurt to ask. Who's gonna drop a message? I know back in the Weblate issue an email was formally agreed upon by the members, would you want to do that again? Or is an informal message fine?
Easiest way to contact privately would probably be: https://bitwarden.com/contact/
one could simply just share the password
I would say Bitwarden is significantly more useful if you intend to share the password over GitHub, Gitter, email, or some other insecure means that is not end-to-end encrypted.
I agree with your point only if you're referring to sharing it via and end-to-end encrypted Matrix room, end-to-end encrypted email like Tutanota, or some other end-to-end encrypted means.
Even then it's not ideal, as Bitwarden Send is disposable and will erase the data when you're done with it. While leaving it in a chat room or email leaves it available in a read-only format in yet another location if the member of tldr gets breached, and there is no way for you to enforce all members to delete their emails/messages.
Could we not just use GPG encryption then just send files through something simple
Yeah, we could draft an email here, and then I can send it off.
I do agree that Bitwarden has benefits, but given we're an open-source org with limited funds, I'm not sure we can afford it right now (@ ostera's share is for our domain tldr.sh, and mine is for the hosting of the tldr-bot).
Hello,
I'm contacting you representing tldr-pages (https://github.com/tldr-pages/tldr) to ask about whether you offer any discounts or free tiers for Bitwarden for open-source organisations? We are considering using Bitwarden to securely store a number of secrets that we have accumulated.
Best regards,
I feel like I'm a bit too concise here.
I feel like I'm a bit too concise here.
I'd say concise is fine. They don't need any of the fluff, they know what open-source is, and are familiar with GitHub so can easily see the notability of tldr, etc.
Unless it'll be one of those things where Sales gets the email, but doesn't know anything about the industry they're in Sales for. ^-^'
If you want to be safe, some things you could consider is:
Note: The bullet points contains ideas to consider only, and do not indicate any personal preference for inclusion.
I realize the sponsor one may be controversial and will require a wider discussion with other maintainers. Since tldr is trying to get free services outside what's readily available, it doesn't sound unreasonable to return the favor.
Some repositories on GitHub have a section for non-monetary corporate sponsors, for example JetBrains Licenses for Open Source Development:
Some other notable examples of non-monetary sponsors, but not on GitHub READMEs:
Considering that we are asking for free stuff, the best you can do is show some gratitude.
I personally wouldn't mind a advert type of thing, if they would be inclined.
Noting down our infrastructure doesn't seem like such a bad idea - either at the bottom of the README as a list or elsewhere in our documentation is probably a good place. An advertisement is different in my opinion, and not acceptable. Simply noting briefly that they generously provide us with a service would be ok though - /cc @owenvoke, @mebeim, and maybe @agnivade on that one.
Stargazers / solely by volunteers is a good idea to mention too.
By advert, I meant a mention in the README. Like you have suggested
Has anything been done for this, unless I am stupid (probably the answer) whats wrong with public key encryption via gpg, since most of us have GPG
clearly visable from github.com/{{username}}.gpg
Getting back to the core issue at hand here - reactivating the twitter account - I think given the age of this issue it's probably a good idea if we go ahead and create a brand new account. Any thoughts for the name? The account in question we can't access is @tldr_pages
.
Would Twitter allow @tldr-pages
? Other alternatives would be @tldrpages
, @tldr.pages
or maybe even @tldr-project
.
Oh! I was unaware that no one had access to the previous account, that's unfortunate. 🤔
Twitter usernames:
Looks like @tldrpages
would be a winner.
(I've checked, and @tldrpages
is available at the time of writing this comment.)
If the new account gets big enough we could maybe also ask Twitter to remove the old one and rename the new one to @tldr_pages
.
So, who would be in charge of the account and what and when are we going to post something?
I could create the new account, and privately message active org owners on Gitter with the login credentials - encrypting with gpg where available.
See my comment here about content: https://github.com/tldr-pages/tldr/issues/5898#issuecomment-840903959
I could create the new account, and privately message active org owners on Gitter with the login credentials - encrypting with gpg where available.
This is not needed @sbrl. I talked with @waldyrious and he will send you the credentials of the official account.
What about tldr_sh for the username
Edit: read seths comment since it wasn't shown, my suggestion isn't as good as others suggested
This is not needed @sbrl. I talked with @waldyrious and he will send you the credentials of the official account.
Oh awesome @navarroaxel! That works too. I await the credentials then. I assume via Gitter or maybe email?
Any updates yet?
Heya, @marchersimon! Thanks for reminding me to update this issue. I now have access to the account through TweetDeck, and I think I can add other people to TweetDeck too. I can't create an API key though to set up Twitter Together though I don't think through TweetDeck, unless I just haven't found the option to do so.
tldr-pages org owners, if you can confirm to me your twitter account handle I will add you via TweetDeck.
🦆 @navarroaxel
Update: I now have access to the twitter account itself. Along with @ waldyrious we're now working on setting up https://github.com/gr2m/twitter-together/. It looks like you need to apply for a developer account, so we're working through that.
Other org owners can gain access to the Twitter account via TweetDeck - just ask :-). The Twitter account itself has personal info on it (e.g. phone numbers etc).
Other things that came to mind in our email conversation (private via email to exchange passwords etc):
Also a matter for later discussion: among the people with TweetDeck access, there should be some sort of agreement (ideally something explicitly documented) about how to handle the account: how to handle notifications (e.g. if someone sees them, do they disappear for the others?), what sort of replies and mentions are appropriate, etc.
--@ waldyrious
@ waldyrious also updated the profile banner / avatar to match our latest branding
I think we could make some posts about easy issues where everyone can help (e.g. translation templates), showcase various clients and other interesting things.
Phew! That took a while. Scheduled a tweet every other day showcasing a bunch of different clients using Tweet Deck
I tried to pick those which have been most recently updated.
Came across this discussion on GH today while looking at collaboration ideas for another OSS org, and just wanted to share an idea based off what our org does: 1Password offers their Teams plan free for open source projects - the instructions on how to get it are in the 1Password/1password-teams-open-source GitHub repo.
Different projects' philosophies/approaches may not allow for the use of 1Password, but if yours does, its worth giving things a go. They went and built out an item sharing tool recently, and the requirements for the free account aren't too onerous (free licenses for all core contributors, 2 year license that needs to be renewed for free via email).
https://twitter.com/tldr_pages
This has been done. Closing!
We have yet to set up twitter together though, but I suppose that can be another issue.
We should reactivate the official twitter account for
tldr-pages
: https://twitter.com/tldr_pagesComments from @waldyrious in
Gitter
:Possible solution: TweetDeck and the
Twitter together
GitHub action (https://github.com/gr2m/twitter-together).