Howdy,

So I've asked Pono two procedural questions I'm not sure on here. Just tired of redoing things 😢

Since this authorizes a reimbursement (not just a budget item, but actual monies) I don't know if it needs to be more specific on what it is reimbursing. For instance, which of the two keys or a specific model of key.

When we did the last thing like this with the book program, the SFC strongly preferred us giving them a list of people and them ordering it for us. Not sure if that's the case anymore. Asking.

Anyway, I'm for getting security keys for folks, just want to make sure we get the details correct and didn't want anyone to think I'm ignoring this thread.

Ted
On Jan 13 2022, at 2:41 pm, Marc Jeanmougin <marc@jeanmougin.fr> wrote:
Dear leadership committee,

Your attention is required to vote on the following matters:

Background:

Some contributors have, or need to have, access to social media accounts
to post on the behalf of the project, or to infrastructure accounts,
most importantly gitlab. For computer security, we would like to protect
those accesses with a safe 2FA method, and the safest method to avoid
impersonation and phishing attacks is a 2FA hardware token with FIDO2 or
U2F. Then we would be able to set a policy to enforce 2fa when
contributors need access to passwords that would be shared on nextcloud,
or to contributors with "owner" access to gitlab projects.

The most common such token is the Yubikey (45€/$ a piece+10
tax+5shipping) but there are equivalents with open hardware component
and open source software (e.g. solokeys at 35€/$ incl. tax +5€ shipping,
or nitrokey ). As for the amount of people, the vectors team has around
10-15 people with some level of access to passwords of the project, 4
people do not have 2FA and have "owner" access to the whole gitlab
project, + 2 "maintainer" access to inkscape/inkscape (and more in other
sub-projects). We also have the possibility to offer it to all regular
contributors for whom it would be useful.

It is yet to be seen whether we could have a discount by asking, or if
there is a way to pay for the whole order and get a single reimbursement
instead of reimbursing individual contributors

Ballot:

a. Reimburse up to 2000 USD for password and project protection, and
also offering it to contributors who have been in the project for more
than a year and ask for it (implies support for option b)
b. Reimburse up to 1000 USD to protect the project's passwords on
nextcloud and gitlab project access (only contributors who have access
to nextcloud, and gitlab maintainer or owner access)
c. Do not do it
d. Other (please specify)

Thanks!

--
Marc

_______________________________________________
Inkscape Board of Directors mailing list -- inkscape-board@lists.inkscape.org
To unsubscribe send an email to inkscape-board-leave@lists.inkscape.org