@Dzahn wrote this a few days ago.
<mutante> there is a "when added to LDAP wmf you automatically also get Phab WMF-NDA" nowadays <mutante> but maybe not the same for "nda", not the automatic part <mutante> feel free to reopen that ticket to ask for phab nda
Basically this is the volunteer counterpart of T290605: When WMF staff requests to be added to ldap/wmf, also add their Phabricator account to #WMF-NDA.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Dzahn | T349595 Clarify if NDAs (to access #WMF-NDA protected Phab tasks) are on paper or in Legalpad's L2 or both | |||
| Resolved | Dzahn | T299839 Clarify whether members of ldap/nda should be added to #WMF-NDA | |||
| Resolved | Dzahn | T358578 Add WMDE staff who have signed the NDA with the WMF to the WMF-NDA phabricator policy group |
Adding WMF-NDA-Requests, @mark, @faidon and @MoritzMuehlenhoff for SRE, Security and @KFrancis for feedback.
One thing to clarify is how we can ensure that the off-boarding process from this group will be performed when the NDA expires or is revoked.
Is that already covered by the offboarding script?
Yes, that is covered by the offboarding script, the NDA group is Phabricator is a privileged group and "offboard -p" removes access to it (which gets run as part of offboarding in the part handled by SRE).
The nda ldap group (which this task is about) is explicitely for volunteers and not staff.
A large chunk of cn=nda members are researchers with time-limited access which do get tracked by the WMF offboarding process (an estimate is given until when the project will be completed and than access is extended or revoked as needed).
The volunteer NDA isn't time-limited, as such there's also no specific offboarding (except when people ask for their access to be removed or potentially if the access needs to be removed for other reasons (e.g. violation of terms of use)).
Does this still need WMF-NDA-Requests tagging in it? It means it appears in the Clinic Duty dashboard, which is probably not what we want?
It was now also implemented that members of ldap/wmde should be added to WMF-NDA, see https://wikitech.wikimedia.org/w/index.php?title=SRE/Clinic_Duty/Access_requests&diff=2012791&oldid=2012786.
Yea, basically the wmde things was given as an example, or further support argument. But I don't think we have resolved the original ticket yet. So thank you for that!:)
This is coming up again. Also see T338611#8969307
We would still benefit from this being clarified and resolved.
@jbond: How could we make some progress here and who could drive it as this issue is repeatedly biting us? (For the records, the "staff counterpart" of this task got resolved in T290605: When WMF staff requests to be added to ldap/wmf, also add their Phabricator account to #WMF-NDA.) Thanks in advance for any hints!
over at T349595#9598075 the L2 document has been retired and it has now been made official that NDA requests should go through Legal directly and signing L2 in Legalpad is not part of that process anymore
Let me steal this (if you don't mind). I have recently closed the subtask and and it's about my original comment from 2022. I'd check with Katie Francis / legal.
@Aklapper Getting back to this nowadays... So... I am thinking that it's uncontroversial that someone who already has a volunteer NDA (signed with Legal, not just inside Phabricator), could be added to the WMF-NDA group in Phabricator. After all the "NDA" is part of the name of the group. Agreed?
Given that, I think all we actually need to do is make some small edits to the same Wikitech pages where you once added the part that "when users are added to wmf, also add them to WMF-NDA" and say the same thing for the "nda" group. So under LDAP access request docs.
Previously I thought I need to follow-up and discuss with Legal, but now I think that's actually not needed. We wouldn't actually introduce something new; we would just do it by default.
https://wikitech.wikimedia.org/wiki/Volunteer_NDA already says "After that, ask in the Phabricator task to make you a member of the "WMF-NDA" project." at least nowadays !
And this is after "contributors must sign a specific volunteer NDA directly with Legal ".
It's like this ticket is already resolved :)
The actual fix here was on https://wikitech.wikimedia.org/wiki/SRE/Clinic_Duty/Access_requests
For the WMF group we already had the sentence which was added by T290605.
Also add the user to the wmf-nda Phabricator group (click "add members", see T290605 for background on this).
but for the NDA group section we did not.
Since it's uncontroversial that people who signed the NDA can be added to WMF-NDA and based on the existing docs in the comment above,
I just copy pasted that into the NDA section as well.
I claim this resolved the ticket. Feel free to disagree of course!
@Zabe Since you are also already in WMF-NDA and the docs are clarified I'll call it resolved.
I think the https://wikitech.wikimedia.org/wiki/SRE/Clinic_Duty/Access_requests#Modify_LDAP_groups section should also be updated.
It states When adding a user to the wmf or wmde LDAP groups, please also add them to the Phabricator group wmf-nda.