Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Limiting access for Streamlink contributors
See original GitHub issueRecently RetroArch was compromised due to an old user with too much access and too little security maintenance. Their compromised password allowed for devastating and annoying action to be taken against the repository. To protect Streamlink as an org I am proposing the following changes, I understand that discussing this may open some members up to a potential attack vector but I don’t see any other way around it that sticks to our commitments around openness:
- A secondary team called
Past Contributorsis added to allow us to move people from theMembersteam who are not actively working on Streamlink. This also allows us to ensure their contributions as part of the organization are recognized and they maintain the Streamlink badge on their profile in case anyone actually cares about that. This team will have read only access to the repository. - All currently active members (those who have Github activity or contributions in the last 6 months) without 2FA enabled will temporarily be moved to
Past Contributors, they will then be mentioned in this issue and told they must enable 2FA to remain part of themembersteam, however if they do not wish to do so for whatever reason they can stay on thepast contributorsteam. Once that action has been completed they will be moved back to the members team. This is to both protect us from people who may potentially not be active while also ensuring those who wish to remain active members do so, and we don’t introduce a risk factor where they are actively called out for not having 2FA while being part of the members team. - We should have a discussion around the size of the members team, originally it made sense to have more people on the members team due to how quickly we were moving from livestreamer, but now does that make sense? Should we instead move some users to
outside contributors?
@beardypig @bastimeyer @back-to please review this when you have time, as well as the current list of members here as it’s relatively short and gives you an idea regarding what I’m talking about.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:16 (14 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
After a short discussion with @gravyboat, I’ve just moved all inactive users from the streamlink orga’s “members” list to “outside collaborators” and removed their write access to the repos which gets kept while doing so. No ill intentions, just a security measure, as states in the OP from 1.5 years ago. If anyone of those users wants to become active again and get moderation/administration rights back, they are very welcome, just like everyone else who’s very much involved with the project.
Speaking of moderation rights, I added @mkbloke to the team members/maintainers list.
Streamlink packagers who were already added to the orga were also finally moved into the right “packagers” team, which I totally forgot about. Other packagers can get added there too, if they want. I’m not going to look for any Github accounts now though. Please just comment here in case you see this. Otherwise, anyone else with the necessary permissions can add those users.
Closing…
@gravyboat all sounds sensible to me.