incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Nalley <da...@gnsa.us>
Subject Re: ASFIncubator now managed via TweetDeck
Date Tue, 31 Mar 2015 03:08:27 GMT
>
> The above makes a really nice, security-conscious scheme
> that I would love to champion among various PMCs
> and suggest that we document it as part of our social
> media guidelines. The only open question in my mind
> is who (and by extension what email address) should
> the master ASFxxx account be associated with. I see
> two alternatives here:
>     * ASF Infra team collectively owns it
>     * Whoever controls @TheASF owns it
>

Neither IMO.
Infra doesn't want it (and we will politely decline if asked to manage
your social media creds). And burdening Sally, Jim, Joe, etc with
scores of projects credentials isn't going to scale well.

If I were to define it, Make the address for the account
private@$foo.a.o (CloudStack uses an alias that forwards to
private@cs.a.o IIRC) I would say turn on MFA for the account  (device
held by the chair or his designee) keep the override codes encrypted
to multiple PMC members in the projects private svn tree (and open to
add more PMC members at their request). That gives the PMC the ability
to override if someone disappears or goes off the tracks. Federating
access is easy with Tweetdeck or Hootsuite - securing the account
becomes a lot easier as well.

--David

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message