#1280 Issue closed: Check out waffle.io to increase transparency / Agree on external tool access to ReaR

Labels: enhancement, won't fix / can't fix / obsolete

schlomo opened issue at 2017-04-05 15:07:

Please have a look at https://waffle.io/rear/rear, maybe this helps our users see what we work on?

gozora commented at 2017-04-05 15:23:

lol Ironing my waffle???

gozora commented at 2017-04-05 15:29:

Don't want to sound paranoid but is this safe?

Authorize application
Waffle by @waffleio would like permission to access your account

@schlomo Did you authorized this access for your account?

schlomo commented at 2017-04-05 15:33:

Yes, I did. And I know what you mean. That is why I want your opinion on this topic.

schlomo commented at 2017-04-05 15:36:

Waffle says: "Due to limitations in the GitHub API, we require read/write access to your repos in order to interact with Issues". I actually saw this kind of disclaimer in many tools and would say that this is a reason why GitHub is only good for public stuff.

schlomo commented at 2017-04-05 15:38:

A possible alternative is to use GitHub projects which kind of does the same but less fancy looking.

gozora commented at 2017-04-05 15:40:

Well, reviewing permissions, I'm fine with:

  • Email addresses (read-only)
    This application will be able to read your private email addresses.
  • Organizations and teams
    Read-only access
    This application will be able to read your organization and team membership.
  • write access to Issues

I'm not so happy with following write access:

  • Code
  • Pull requests
  • Wikis
  • Settings
  • Webhooks and services (despite I'm not entirely sure what this does)

But biggest NO NO for me is Deploy keys

But in general I'll trust you guys, as I'm pretty new in development, so if you say it is safe I'm joining you.

V.

gozora commented at 2017-04-05 15:50:

If GitHub projects can do same thing, I'm prepared to exchange fanciness for better security control any time ;-)
A short video about GitHub projects if you like watching more then reading ...

V.

schlomo commented at 2017-04-05 16:00:

According to the video it seems like the projects can't use the labels to sort issues into columns.

If we already talk about security, ATM we already have some external apps enabled:
image

Maybe this is a good moment to talk about that and make sure that everybody here agrees with that. I most definitively don't want to make anybody feel worried about security here.

schlomo commented at 2017-04-05 16:03:

@gozora The deploy keys access that you mention is also the thing that worries me most of all - and which is for me the reason to treat GitHub more as a repo and less as a workflow tool that can change stuff elsewhere.

To safeguard ReaR code we could also adopt GPG signing - as long as the 3rd party apps don't have your GPG key they won't be able to manipulate our code without us knowing about it.

I actually started to sign all my commits this month.

gozora commented at 2017-04-05 16:28:

GPG signing of ReaR is indeed a good idea!

jsmeix commented at 2017-04-06 07:34:

I didn't read all the details but in general
I never permit anybody or anything to act as if it was me.

schlomo commented at 2017-05-21 05:56:

It seems to me that we don't need Waffle.io or similar external tools at the moment. If nobody speaks up in favor I'll remove it soon. Thanks a lot, Schlomo

gdha commented at 2018-09-19 13:33:

As nobody seems to use this we better close the case

[Export of Github issue for rear/rear.]