Synchronizing Github Issues with W3C Mailing Lists - w3c/webpayments GitHub Wiki

Introduction

The W3C has traditionally done most of its work through mailing lists and the W3C issue tracker. New groups at W3C are migrating to Github and need a mechanism that supports the W3C standardization process. This wiki page documents a way to enable a group at W3C to use Github for all of their version control and issue tracking needs.

Note: There is a mechanism that requires groups to contact Dom to setup issue mirroring, but the current solution doesn't enable people to respond to issues via a mailing list.

Goals

  • Enable multiple Github repositories to be used for version control on specifications.
  • Enable issues to be raised on specifications through Github.
  • Enable issues to be responded to via Github's website.
  • Enable issues to be responded to via W3C mailing lists (no Github account required).
  • Reduce the attack surface on the mailing lists and Github.

Setting Up Github Issue Syncing

Requirements

  1. A W3C staff contact that is able to manage the mailing list for the W3C group you are trying to setup on Github.
  2. An hour to do the setup and test the configuration.
  3. A smartphone (for two-factor authentication).

Setup

  1. Create a new user account on Github.
    1. Ensure that the email address you use to register is the public mailing list address for the W3C group. For example: [email protected].
    2. After registration, check the W3C mailing list "Admin action" queue. Use the verification link in the admin queue to verify the email address. Delete the email from the admin queue (do not let it through).
  2. Setup two-factor authentication for the account.
    1. Download and install Google Authenticator on your smartphone.
    2. Setup two factor authentication
    3. Make sure your "delivery mode" is set to "authenticator application".
    4. Make sure you save your recovery codes.
    5. Save the username and password, recovery codes, and two-factor shared secret key (save the QRCode image, or the manual code setup). Share this information with other W3C staff and chairs for the group.
  3. Watch Github repositories that the group should be notified of when issues are raised or discussed.

How it works

  • Any issue that is created will trigger an email to be sent to the public mailing list of the W3C group.
  • Any response to an issue will trigger an email to be sent to the public mailing list.
  • Responding to an issue via email will log the response to the Github issue and send an email to the public mailing list.

Security Concerns

  1. It is possible to spam the list by:
    1. Creating a throw-away Github user account and responding to issues in the Github issue tracker. This is the easiest attack. The driver for this attack is to annoy people on the mailing list and to cause a disruption. The response to the attack is to delete the comment and notify Github that an account is being abused.
    2. Figuring out the reply addresses from the email source (by subscribing to the mailing list), and then responding anonymously via email to the issue. This attack will send an email to the mailing list, but the spam can be deleted via Github's issue tracker. The driver for this attack is to annoy people on the mailing list and to cause a disruption. The response to the attack is to delete the comment. A complete response to this sort of attack requires a bot to be written (Dom has one in the works) that would authorize posts based on both originating email address and/or Github user account that made the post (this would be hard/heavyweight to manage).
  2. Password reset codes can be sent to the mailing list. However, as long as two-factor authentication is turned on, it will be impossible for anyone to send a reset code to the mailing list using Github's "I forgot my password" feature. The reset code will still be sent to the mailing list, but an attacker would need the two-factor shared secret to change the login password.