Trim active releasers list #499
Comments
|
|
|
/cc @nodejs/releasers |
|
Please keep me on there. Appropriate key included below in details section
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCYSbr8uTzB4kbUvwesreEmPfSNQUbu/Ud5ltHJCnE6RHf9h6UZ4fRzDnIOk6PKy2C2jWqD9k/BIItWhWO7HXLGMwEdC29Bq7kw7+fFOMFEIEBndHdMDKsl+OWY/mwlHJ8oMeroh8/pk9cChWcXVPQhAyYrWVkaUeomLSHSYT7aZdXGOSpyWAPCd5RcSdfgdFhAZ0wpvfpFa//UV6ypxEvftXROqy9qYK+hmMdFWeBKpiTEpARxIHY0dcVX7SDnVFtiQDRJ2AF1BOQ7W2OEPf+5aGVAZNSIh18q3lWL83skSNsSWGNUdYhXiip/IO48JX1lZyPaUxp6vrZnK3nx+j3 [email protected]
|
|
I should probably be removed as a releaser. I _think_ this was the SSH key that was used, but honestly have no ideassh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDRVSPGJyI+U88Mqaw+aRlUHDHmhg4LajzQGIFCvqAUsiBu2s0RFA4IUtqvOl74mKBWdaNVDP28EXxNdo9HUjjPO8rw1/8LOix+B7BvYJjkwQ2MophWw9HqjhtkRmrzSVagcTUbmwehtFHo80muwXTJ9jdKI0UoB8/nr3Da1Id8QdMWNmJ/KfA55DuBBtOJJx6hs0lA8RrBI7agOMMOTgh0a3W8MEIdyQBMANZqaruuMVX7MZ9X6L7DovMzsVBe42nx7UObcMMTzW/y2pWy/jNGZGGrVBdqv4GNXY+Zr11KIu/vPafL8G99X5J9D7hAC83OgiuDWjKSRit3iNmxmvt [email protected] |
|
Please keep me on the list. |
|
Please keep me on the list - i have been unable to participate for a while but should be able to resume duties soon, and plan to! |
|
I'm not sure what the significance of this is but neither of you have SSH keys showing up in GitHub: https://github.com/jasnell.keys & https://github.com/jasnell.keys, I thought they were mandatory! So @jasnell and @codebytere could you drop in a key here please? |
|
Please keep me on the list - I have a specific key for Node.js releases: Node.js keyssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCYDpECIm3soPk4SmU4kIN4LyGzE+jcx6AEU1YIL+UR7kGhaVYR6O9toCbRMQW6fYniIg8605vIh8bPj8hRIQID3HgcHCNyEz6F6sDf+y50UWMB7HNM4BapFpNFgsCznIQ4WqISvzG5p2QWXQw64B0gG/TPe+skehN2Uur7tujnrz+hVCyUo5+R3J4aC3+plbJZFjdVY5PvhfPxSuadBr7ntf4NqZE982ie/Uo9H73odBAJ1YtzFFnCEGQEoYP03ttepBpzVJeb//a2y+DSEc3gA1m0NgpfvCfLefp+CGzBLkzeaVg4iow8rQqcNEBDgE4QTmW9rXAGBhmePY6y064huUYzpb630hKCD/kdBxKJJ2u1VIyq8ECwZhTVPN+xiyWk1dNP1XYKHFlEQfGHdjnXbDm84CePbIZzlBCLtUU0QgAqyTHpei/J5fB6UZDBOgHVAYwyqY8DFGpeNwKD5BC8IRJqHlqTSSoFtbhwgdj7e0mmIi1q0v1fUgZ1D31RDDyhGeZ9ufEDgI17hSgQ8s46ZkDyMsjKX1eCDE8SYq1wF3nw4ZMuJeTG5cs3pi8Mi22/i7CXlIUGDChooSU4Dtgt9iRyOt4eVi3Ty6o8ZrtOFx7zfHBcdTu1o54Kp6Svl9fD7ceBb4Ff9rukLhMjhpTemi617zEcOVZvV3dqWvgB5w== [email protected] |
|
Please keep me on the list. |
|
/cc @BridgeAR @evanlucas @gibfahn (pinging the remaining releasers from https://github.com/nodejs/release#releasers-team) |
|
I likely won't have to time to help out in the near future, so feel free to remove mine. Thanks! |
This is to keep the list up to date. Requested in #499 (comment)
|
Please keep me on the list. My used key is https://github.com/BridgeAR.keys |
|
Am I mistaken, or did everyone who has done a release in the last year respond in the thread above? I wonder if a yearly check that people are still interested in being members is in order? Or since the release team's role is so clear, maybe a minimum number of releases a year would be a reasonable bar for membership, like @rvagg, just a suggestion, ignore if not helpful, but perhaps everyone's private keys should be stripped from the authorized file, and replaced with a shared private key in the secrets repo that the release team has gpg decrypt rights to. Then, after the yearly house-cleaning, the key can be rotated, and legacy members will lose access. Though perhaps that mean that when people do ssh in, they all appear to have the same identity... A key manager would be nice, it comes up regularly in discussion between @mhdawson and I, but hasn't quite gotten high enough with mac and other things above it. |
|
Sounds fine to me. It'd just mean keeping the secrets directory gpg keys in sync with the GitHub team, and someone has to be on the hook for the yearly checkup, team pruning, rotation and gpg secrets key syncing. Someone has to be on the hook for something, pick your poison! |
|
This should be resolved. Please reopen if I missed something. |
|
sadly this isn't done yet, I don't think we have an agreed upon solution and I still haven't trimmed the active releasers list, can someone please reopen this? |
|
@rvagg Are these the ssh keys for the |
|
There's 43 keys in there, most have no identifier associated with them. It looks like recent ones do have labels, but most don't. Someone needs to go through those releasers, grab their ssh keys and compile a new authorized_keys from it, with labels, and just replace what's there now. |
So we only need to get the 9 current releasers keys in there and not any Build WG folks or anything like that? Those are all in another file (or another section of the same file) or something? |
|
Yeah, I think we can ditch everyone but releasers, keep it clean. I can see build infra in there but infra also has root on that server anyway so it doesn't need it here. We can add it back later if we find that it was needed for something unexpected. |
|
Did we end up removing everyone but current releasers? Do we have it down to approximately 10 keys or so? If not, is there anything I can do to help move this forward to a resolution? |
|
I don't think we removed anything. Current status is there are 41 keys, of which 14 are commented as belonging to current releasers (some releasers have more than one key) plus Rod and the build-infra key. That leaves 27 uncommented keys. |
|
I've taken an executive decision to just remove the uncommented keys. This was done by executing: cd /home/dist/.ssh/
cp authorized_keys authorized_keys.bak
cat authorized_keys.bak | awk -F ' ' '! ( $3=="" )' > authorized_keysThere are now 14 keys, all commented with who they supposedly belong to. |
|
One other thing to mention is that we currently have a ufw2 firewall in place on the server which means we have to add IP address to the allow list (or releasers have to connect through a jump host) which provides an additional separate security perimeter. |
and others
There's a lot of SSH keys in place allowing for release promotion, 40 all up. 28 of them are unlabelled and a lot of the ones with labels are for people I know don't do releases anymore. This functionality punches a pretty significant hole in our security perimeter that protects what we publish so I'd like us to get it locked down.
Can I ask this WG to clarify who can currently perform releases. Is https://github.com/nodejs/Release#releasers-team accurate or should even it be refreshed? It shouldn't be hard to check who has performed a release in the past X months if that's a good way to do a refresh.
Secondly, can I get fresh SSH keys for each of these individuals? Your GitHub .keys is fine if it just contains one key, otherwise if you can specify which one, just one per person (it'd be awesome if it was a dedicated key but that's not strictly necessary). I'll get them in, labelled and dated, replacing everything that's there now.
The text was updated successfully, but these errors were encountered: