AIUI, Wikia has an organizational NDA with the foundation, so Wikia employees who are doing this as part of their job are covered by that.

In T101017#1731317, @csteipp wrote:

AIUI, Wikia has an organizational NDA with the foundation, so Wikia employees who are doing this as part of their job are covered by that.

What would be required for ShoutWiki to do the same?

Adding WMF-Legal to answer @Isarra's question.

Sorry, I dropped this one.

I talked with legal, and we should be able to do that for Shoutwiki. @lcawte, do you know who at Shoutwiki would have signing authority for something like that? You?

In T101017#1749898, @csteipp wrote:

Sorry, I dropped this one.

I talked with legal, and we should be able to do that for Shoutwiki. @lcawte, do you know who at Shoutwiki would have signing authority for something like that? You?

I believe it would be the company directors, either me or @Cook879.

How to proceed? In which way / how would that sign-off happen?

That's me. I need to get @lcawte our nda. Let me try and get that for you today.

In T101017#1948671, @csteipp wrote:

That's me. I need to get @lcawte our nda. Let me try and get that for you today.

@csteipp: Has that happened?

I think that was my fault. Just sent it!

@lcawte: Any news?

@lcawte: Any news?

@Aklapper It's on the agenda for the next board meeting, as we never agreed we'd actually sign it as a company.

So we decided in principle that the company is happy to go ahead with this, pending the signing of NDAs to the company by people with access to the server.

Can I assume this is dead or moot at this point (2 years later)?

Which is why I worry about the next person who asks, and the person after that.

Potentially related: T108360: Create "security pre-announce" group in Phab (to easier allow 3rd parties who get pre-release notifications to access Security tasks)

I think this got shelved from our director's meeting due to more pressing matters and never ended up back on the agenda. Given that I'm the sole director now, I'd sign this if this access is something that's still possible (although I'm guessing the NDA may have been updated since June 2015?)

Hi, just trying to get this ticket revived/resolved in some way because it's pending for so long.

Since it was created there is an entirely new security team. So first let me add them to this to get it on the radar again.

Also, let me add Rachel from legal who deals with NDAs usually. (Yes, you are most likely right that it changed since 2015 and also a new system is in use to sign them as opposed to the legalpad in Phabricator).

Then there is the question what it means technically. Are we talking about visibility of tickets in Phabricator and/or receiving email about upcoming security releases?

In T101017#4643800, @Dzahn wrote:

Then there is the question what it means technically. Are we talking about visibility of tickets in Phabricator and/or receiving email about upcoming security releases?

In the past Wikia, Debian, and Gamepedia (IIRC) would get access to security bugs and their patches a few days before the release itself (e.g. T67778#709961). This practice hasn't happened recently, but our security release process has also kinda been wacky.

@Legoktm Any idea what the non-wacky version of the process is going to look like? Should we care about this or close it?

In T101017#4546543, @lcawte wrote:

I think this got shelved from our director's meeting due to more pressing matters and never ended up back on the agenda. Given that I'm the sole director now, I'd sign this if this access is something that's still possible (although I'm guessing the NDA may have been updated since June 2015?)

@lcawte I realize this issue has a long history. I'm sorry this has been such a back and forth without outcome. Over the the last year the security team has been through some changes and their are a couple of us trying to revisit where inherited tasks stand.

tldr; We want to be a useful and effective partner here, and need to define how to grant and remove this access to do it. We have a small working group to meet and define. After which you'll be the first use case. Please ping me directly if this continues to drag on, or if you have questions about status. The next couple weeks are messy because of holidays in the US but I swear this is inflight

small progress https://phabricator.wikimedia.org/T108360#4812282

lcawte signed L2 (name on the list) and #acl*release_security_pre_announce exists. What would be the next step? Add lcawte as a member to that group?

Good question. I'll put it on our agenda, but it will probably get discussed next week instead of this bc holiday. Hope things are well @Aklapper and thanks for calling this out :)

In T101017#5680594, @Aklapper wrote:

lcawte signed L2

Please note signing L2 is not considered enough anymore for volunteer shell access. Legal uses a different system to keep track of NDAs. That is why i added legal back in October 2018.

If you (security-team) want to go through WMF volunteer NDA process, please contact Rachel in Legal, she'll follow-up.

@lcawte hasn't been active in phab for a bit over a year - is this task still needed?

We are waiting for updates from the security team here. Let's ask them instead of the bug reporter.

In T101017#6134711, @sbassett wrote:

In T101017#6128275, @Dzahn wrote:

We are waiting for updates from the security team here. Let's ask them instead of the bug reporter.

This likely needs a re-triage then as I'm sure it's fallen off our radar at this point. While it would be nice to have some official process in place, if the user this task concerns (@lcawte) has been inactive and/or no longer requires such access, we should probably resolve this task.

Still required. Just don't have a whole load to upstream at this particular point in time.

Not to nag but is there any sense of a timetable for this? It's ok if it's a long one, just so we know when to ask for an update again.

@ArielGlenn - There is an internal draft policy (I just gave you access) which I feel is mostly complete save clarification on a couple of the actual technical controls and processes. This needs some push from the Security-Team but I believe it is considered fairly low priority for us at this time.

@sbassett OK, I'll leave a note here to ask again in a month, without any expectation of a change however. Thanks!

In T101017#6499883, @sbassett wrote:

There is an internal draft policy (I just gave you access) which I feel is mostly complete save clarification on a couple of the actual technical controls and processes. This needs some push from the Security-Team but I believe it is considered fairly low priority for us at this time.

Hi @sbassett, any update on this? Checking as part of SRE clinic duty.

@ema - I'll bring it up as a topic at our team meeting on 2020-10-27. Since this would become a new process for the Security-Team to manage, we'd need to work out a few more policy specifics.

Update: @JBennett and I have been actively discussing this. There are several moving parts and likely some legal issues to be worked out and probably some additional gating/auditing procedures to design, but we're hopeful (without making any promises at this point) that we are getting closer to actual policy and procedures.

Update: The Security-Team would like to specify a pilot program next quarter (Q3 FY21) for early security release access, limited to a small number of trusted developers and maintainers of certain MediaWiki installations. @Reedy and myself will begin work on a charter with further details and with the intention to launch said program soon thereafter.

Update: unfortunately, it looks like the pilot program mentioned above likely will not happen until Q4 2021.

Just for clarification, that means Oct-Dec 2021?

In T101017#6795359, @Aklapper wrote:

Just for clarification, that means Oct-Dec 2021?

No, Apr - Jun 2021. At least that is how I understand the quarters to be defined within Betterworks, based upon WMF's fiscal year start date of July 1st.

Thanks a lot for the clarification! (I asked for clarification as most folks here won't know "Betterworks" or when some company's "FY" is meant or maybe not.)