update opencontrol org permissions #44
Comments
|
OpenControl wasn't started by 18F, and has never been only 18F staffers - what problem are you trying to solve? I'm violently allergic to the RH trend towards pseudo-meritocracy, so phrases like "Need a vehicle to recognize community participants" coming from someone who clearly doesn't even know the OpenControl history make me deeply uncomfortable. |
|
I'm also unclear why RH content should have a repo within opencontrol at all - that's a commercial entity with its own GitHub repos. |
|
On 6/4/18 1:22 PM, Joshua McKenty wrote:
OpenControl wasn't started by 18F, and has never been only 18F staffers
During [your talk at All Things
Open](https://www.youtube.com/watch?v=hb3gonG2oFA), you attributed
project origination to 18F during the Pivotal on AWS rollout for
cloud.gov. There's also the [OpenControl
FAQ](https://github.com/opencontrol/opencontrol-website/blob/master/docs/faq.md#who)which
references the creation at 18F. Perhaps these should be amended?
Not trying to take anything from Pivotal involvement in the creation here.
These days OpenControl isn't being used only by 18F/cloud.gov. For
example, [Docker transforms their content into really great
docs](https://docs.docker.com/compliance/reference/800-53/), Red Hat and
Microsoft partnered to create an [OpenShift on Azure FedRAMP
template](https://blogs.msdn.microsoft.com/azuregov/2017/06/05/red-hat-releases-partner-azure-blueprint-for-openshift-on-azure-government/),
and there are other US Gov agencies using OpenControl internally for
their ATO efforts. Red Hat also is starting to ship corporately
maintained content.
- what problem are you trying to solve?
- It's not clear who to ask for help. Multiple subprojects, like
compliance-masonry and fedramp-templater, are not the most active.
Certainly one could dig through git histories, but @maintainers would be
a much easier way to ask for help. Let's make the community approachable
for new comers.
- There are new community members but they can't be assigned tickets.
Creation of something akin to a ``community-members`` group would allow
for this. Not emotionally attached to the idea. If there's a better way,
lets hear it!
I'm violently allergic to the RH trend towards pseudo-meritocracy, so
phrases like "Need a vehicle to recognize community participants"
coming from someone who clearly doesn't even know the OpenControl
history make me deeply uncomfortable.
Meritocracy revolves around elevating individuals based on their talent,
their aptitude, their quality of contributions, their level of
involvement. Many of the original OpenControl contributors are no longer
here -- James Scott has moved on from 18F, Diego left 18F and is
currently at Microsoft. Many are lurking but their focus is on new
initiatives. And all of that is OK.
The ask here is to allow the next wave of community to build on their
shoulders. Restructure org permissions to better enable communications.
Allow for some reorganizing to generally be more welcoming and
approachable for those who would like to collaborate. Insert new blood
to keep things moving forward.
And perhaps more importantly -- expand admin rights, grant those who are
actively maintaining repos and content the ability to do so. Power and
control based on inheritance, of being part of the project's historical
lineage, is much more closely aligned to an aristocracy than meritocracy.
You made some interesting assumptions regarding my involvement in
security automation and more specifically OpenControl. Even if I was
new, even if I couldn't recount the origin story by biblical verse, even
if my story had gaps or mistakes, there's no reason to give an attitude.
Welcome those who want to help.
|
|
I learned about 18F and OpenControl at the same time - via Noah Kunin's Handling FISMA Faster and Better https://www.youtube.com/watch?v=T1S52B1-NT4. It wasn't important to me who created it, but rather that is was FOSS and how it might be able to transform compliance automation. Since that time (about two years ago) I have not seen a lot of progress (and I am partly at fault as I have not contributed much). But it remains an exciting project and (for me) the next step is a library of components that slot into FedRAMP, 800-171, NIST CSF, etc. to more easily inherit from when working with different compliance frameworks. Shawn may work for the commercial Red Hat (that produces the most secure out-of-the-box OS I know of) but he also has been freely and copiously helpful technically and personally as I work to navigate the world of OpenControl (and OpenSCAP scanning). Now: how does one feed OpenSCAP scan results into OpenControl? |
|
So-called "Meritocracy" is a boundary-policing approach to maintaining systemic privilege. The term itself was invented as satire[1], and the concept underneath it has been put to bed repeatedly by the academic community[2] as well as the broader developer community. I'm happy to address the needs to a) make it easier for new contributors to get involved, and b) make it easier for active contributors to get admin privileges. To start with, why don't we just give admin bits to anyone who wants them? I'd much rather bias towards an inclusive model (ala C4.1) than assume some hierarchy of governance is required. [1] https://kottke.org/17/03/the-satirical-origins-of-the-meritocracy |
The OpenControl project is no longer only 18F and hasn't been for some time (which is great!!). To reflect this, suggesting the OpenControl org permissions be restructured.
Currently there are four organizational teams (https://github.com/orgs/opencontrol/teams):
Suggest the following:
Creation of net-new
community-membersteam. Members would be able to be own tickets, be tagged in PRs, etc. Need a vehicle to recognize community participants and communicate with them.Creation of repository maintainer teams, such as
certification-maintainers,compliance-masonry-maintainers, etc. Members would have write-access to those repos. Currently it's to hard to track permissions and no clear way to give them out either. Also means interested parties could@repo-maintainerswhen asking for help, a quick PR review, etc.The text was updated successfully, but these errors were encountered: