[systemd-devel] GithHub / private repos

Dimitri John Ledkov xnox at ubuntu.com
Sun Jan 27 11:05:54 UTC 2019


On Sat, 26 Jan 2019 at 12:43, Lennart Poettering <lennart at poettering.net> wrote:
>
> On Di, 15.01.19 21:21, Alex Dzyoba (alex at dzyoba.com) wrote:
>
> > When you create a new organization you can choose "Team For Open
> > Source" plan. Here is the link
> > https://github.com/account/organizations/new
> >
> > Though, I don't know if it's possible to upgrade the existing systemd
> > organization, sorry. Maybe it's possible to contact github support to
> > ask for this.
>
> So I had a closer look at this, and found this:
>
> https://help.github.com/articles/github-s-products/
>
> IIUC "GitHub Team for Open Source" doesn't actually add anything we
> need. Because what we need would actually be the ability for arbitrary
> people (i.e. not people who necessarily are members of our systemd
> team on github) to send us private PRs and issues in order to handle
> security issues.
>
> It appears to me that plan does not provide the core need we have:
> allow those random folks from the Internet to report security issues
> in privacy to us... Or what am I missing?
>

It doesn't seem to be exactly that.

Reading help, I guess one can create a secret issues-only repository
https://help.github.com/articles/creating-an-issues-only-repository/
The permissions look almost ok, but I fear that everyone will be able
to see all the issues. Whilst we would want to restrict issues to be
visible only by "author + write/admins". Ditto pull requests.

I guess we could create a private repository per issue..... but that
will get messy quickly, although I would expect each one to be
short-lived for each individual CVE.

-- 
Regards,

Dimitri.


More information about the systemd-devel mailing list