Removing inactive CERT members to reduce risk

[wfoll...@cloudbees.com]

Hello everyone,

This email is a continuation of https://groups.google.com/g/jenkinsci-dev/c/8cy8w7ZqyB8/m/eZfaenQzEAAJ.

The "CERT" (= Security team) has access to some confidential information like not-yet-disclosed vulnerabilities, which fixes are in progress, internal discussions about problems to solve, etc.

Several members of this team have been inactive for a long time, some of them multiple years. Those unused permissions are a risk to the project, due to phishing campaigns or accidental screen sharing for examples.

During my search I differentiated the people working on a particular plugin fix and the ones that are actively contributing to the security globally. Nothing changed for plugin maintainers who will still receive specific access to their own scope.

The impact is on permissions in GitHub, in Jira and the jenkins...@googlegroups.com, where some had access to one but not the other.

Thanks everyone for your past contributions, and you’re of course welcome back any time :)

For transparency and future reference, here is the list of people who are at least partially affected:

• Beatriz Muñoz
• Jeff Thompson
• Kohsuke Kawaguchi
• Oleg Nenashev
• Olivier Vernin
• Matt Sicker
• R. Tyler Croy
• Raúl Arabaolaza Barquin

Best regards,

Wadeck Follonier
Security officer

[Basil Crow]

On Fri, Jul 14, 2023 at 6:55 AM 'wfoll...@cloudbees.com' via Jenkins
Developers <jenkin...@googlegroups.com> wrote:
>
> This email is a continuation of https://groups.google.com/g/jenkinsci-dev/c/8cy8w7ZqyB8/m/eZfaenQzEAAJ.

Is it a continuation if the last post to that thread remains unacknowledged?

[wfoll...@cloudbees.com]

Security is often a balancing act, to improve the security situation while not impeding too much on others.

Your proposal about a more extreme approach was discussed and rejected. Your latest message was read but as that discussion seemed to be sterile from my PoV, I preferred to move forward.

[Basil Crow]

On Tue, Jul 18, 2023 at 1:05 AM 'wfoll...@cloudbees.com' via Jenkins
Developers <jenkin...@googlegroups.com> wrote:
> Your proposal about a more extreme approach was discussed and rejected.

But not with a valid justification.

> that discussion seemed to be sterile from my PoV

I fail to see how that discussion is sterile. Neither of the arguments
in my last post to that thread had been raised previously.

[wfoll...@cloudbees.com]

To come back to the previous topic, what you have mentioned / proposed, is a long term approach requiring additional changes / setting expectations / getting agrements. It's just not in the current scope of the changes I want to make. I prefer to have an incremental approach that provides value right now instead of waiting on a larger effort that will provide value only later in the future.

FTR that was explained in https://groups.google.com/g/jenkinsci-dev/c/8cy8w7ZqyB8/m/K6sdE_HcEAAJ.

> Starting small and increasing the scope over time. CERT membership and VPN/infra access will follow soon.

If you think your proposal should be implemented, I would suggest you to start a new thread, as it's beyond the original scopes of the existing ones.

[Basil Crow]

On Tue, Jul 18, 2023 at 10:56 AM 'wfoll...@cloudbees.com' via Jenkins
Developers <jenkin...@googlegroups.com> wrote:
>
> I prefer to have an incremental approach that provides value right now instead of waiting on a larger effort that will provide value only later in the future.

Why not proceed on both fronts concurrently?

> I would suggest you to start a new thread, as it's beyond the original scopes of the existing ones.

The essence of my argument is that the scope of the current effort is
too limited. I suggest you expand the scope of the current effort as
described.