1 Jul
2022
1 Jul
'22
6:01 p.m.
I vote (a), so AFAIU The tally is :
Mc, Martin, Tav, CR, Josh: (a) Ted: (d)
The Inkscape PLC has authorized the reimbursement of up to 2k$ for security keys for contributors asking for it.
Thanks!
--
Marc
On 1/13/22 21:41, Marc Jeanmougin wrote:
> Dear leadership committee,
>
> Your attention is required to vote on the following matters:
>
> Background:
>
> Some contributors have, or need to have, access to social media
> accounts to post on the behalf of the project, or to infrastructure
> accounts, most importantly gitlab. For computer security, we would
> like to protect those accesses with a safe 2FA method, and the safest
> method to avoid impersonation and phishing attacks is a 2FA hardware
> token with FIDO2 or U2F. Then we would be able to set a policy to
> enforce 2fa when contributors need access to passwords that would be
> shared on nextcloud, or to contributors with "owner" access to gitlab
> projects.
>
> The most common such token is the Yubikey (45€/$ a piece+10
> tax+5shipping) but there are equivalents with open hardware component
> and open source software (e.g. solokeys at 35€/$ incl. tax +5€
> shipping, or nitrokey ). As for the amount of people, the vectors team
> has around 10-15 people with some level of access to passwords of the
> project, 4 people do not have 2FA and have "owner" access to the whole
> gitlab project, + 2 "maintainer" access to inkscape/inkscape (and more
> in other sub-projects). We also have the possibility to offer it to
> all regular contributors for whom it would be useful.
>
> It is yet to be seen whether we could have a discount by asking, or if
> there is a way to pay for the whole order and get a single
> reimbursement instead of reimbursing individual contributors
>
> Ballot:
>
> a. Reimburse up to 2000 USD for password and project protection, and
> also offering it to contributors who have been in the project for more
> than a year and ask for it (implies support for option b)
> b. Reimburse up to 1000 USD to protect the project's passwords on
> nextcloud and gitlab project access (only contributors who have access
> to nextcloud, and gitlab maintainer or owner access)
> c. Do not do it
> d. Other (please specify)
>
> Thanks!
>