#229: Shared, secure password distribution
----------------------------------+------------------------
Reporter: jflory7 | Owner: jflory7
Type: enhancement | Status: assigned
Priority: normal | Milestone: Fedora 24
Component: Internal operations | Severity: not urgent
Resolution: | Keywords: meeting
Blocked By: | Blocking:
----------------------------------+------------------------
Comment (by bproffit):
In order to manage the Fedora social media accounts, there needs to be a
solid plan for managing the accounts to ensure there is no unauthorized
access to the accounts. Three principles for defining such a policy should
be maintained.
* Transparency
* Continuity
* Capability of acting swiftly in the event of a breach
The purpose for distributing passwords is so that we can log into the
accounts to generate new content (that may not always be from a Fedora
source, like the CommBlog and Magazine), engage with our audience, and
help build a positive brand.
To assist with the management of passwords across a group of users, we can
use pass, a command-line tool that will enable a password store
(collection of passwords) to be maintained within a git repository.
This repository would be private, and maintained on GitHub, GitLab, or
another Fedora-accessibly repo of our choice. Only these people would
always have access to this repository:
* Fedora Community Lead
* Fedora Project Leader
* Fedora Marketing Committee Chairperson
In addition, other members of this group could include:
* OSAS Social Media Designate
* Any vetted social media volunteers
This would not only keep an accurate list of who has access to the social
medai passwords (via the repo's authorized user list), but would also be a
quick and safe way to share changed passwords if a breach occurred on a
given social media channel and a password had to be quickly changed. Any
changes would be pushed to the remote repository and subsequently pulled
into the local forks.
Drawbacks to a single-repository approach would be that all authorized
users would have access to all social media channel passwords. This is
good for cross-coverage, but could pose a security risk. This risk should
be minimized by the vetting of social media content volunteers.
Action Items:
* Choose a home for the private repo
* Determine who will have access to password store moving forward
* Confirm that a single repo to hold the password stores is the approved
approach.
--
Ticket URL: <
https://fedorahosted.org/marketing-team/ticket/229#comment:10>
Marketing Team <
https://fedoraproject.org/wiki/Marketing>
The Trac site for the Fedora Project Marketing team. This Trac serves as a place to list
out tasks, define objectives, and work on monitoring our progress with key tasks and
goals.