Page MenuHomePhabricator

ZhouZ needs access to WMF-NDA group
Closed, ResolvedPublic

Description

Hi,

I would like access to the WMF-NDA group on Phabricator.

I am the new legal counsel supporting products at the Wikimedia Foundation.

Thanks,

Zhou

Event Timeline

ZhouZ raised the priority of this task from to Needs Triage.
ZhouZ updated the task description. (Show Details)
ZhouZ added a project: WMF-NDA-Requests.
ZhouZ added a subscriber: ZhouZ.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 11 2015, 7:15 AM

For what is worth, I can prove that @ZhouZ is the same Zhou that works in WMF-Legal (and he is a member of that project already).

WMF-NDA-Requests is really supposed to be for volunteers to use...

Hi @Krenair, what process should Foundation employees use to request access?

To be honest, I'm not sure we have one... Maybe we should change WMF-NDA-Requests a bit.

Qgil added a comment.May 11 2015, 9:11 PM

I followed the description at WMF-NDA and I added Operations because, indeed, the regular process signing an NDA online is for volunteers, not for employees.

Dzahn renamed this task from Need access to WMF-NDA group to ZhouZ needs access to WMF-NDA group.May 11 2015, 11:38 PM
Dzahn set Security to None.
Dzahn added a subscriber: Dzahn.May 11 2015, 11:40 PM

WMF-NDA-Requests is really supposed to be for volunteers to use...

Does it matter whether people receive compensation from WMF or not?

@Qgil Didn't this come up before and we got a kind of blanket statement from legal/HR saying that we can assume anyone who is an employee also signed an NDA at some point? In that cause we could simply add anyone who has a @wikimedia.org address and asks for it.

If that is not the case and we want to check for actual NDAs being signed then i would say why don't we use the same procedure for all people and ask legal to create a version of L2 that isn't specific to volunteers, or even easier change the wording to use the same document for all people if possible?. I wonder if it really matters for this whether people happen to be paid.

Dzahn added a comment.May 12 2015, 1:27 AM

the requesting user is member of legal. the teams that could potentially confirm a NDA has been signed seem to be legal or HR. who can we assign it to to confirm?

Dzahn assigned this task to Slaporte.May 12 2015, 1:27 AM
Dzahn added a subscriber: WMF-Legal.
Qgil added a comment.May 12 2015, 5:46 AM

@Qgil Didn't this come up before and we got a kind of blanket statement from legal/HR saying that we can assume anyone who is an employee also signed an NDA at some point? In that cause we could simply add anyone who has a @wikimedia.org address and asks for it.

This is my opinion as well. With HR's onboarding process, I don't think you can be an employee and don't have an NDA signed. Someone with permissions could update the description of WMF-NDA and add @ZhouZ.

Other WMF employees could be added just after their request. As you say, having a @wikimedia.org address is a good proof.I don't think they need to sign a second NDA with the same scope.

WMF-NDA-Requests is really supposed to be for volunteers to use...

Does it matter whether people receive compensation from WMF or not?

There are many things we could ask that about...

Dzahn added a comment.May 12 2015, 9:34 PM

WMF-NDA-Requests is really supposed to be for volunteers to use...

Does it matter whether people receive compensation from WMF or not?

There are many things we could ask that about...

Yea? So does it matter or not?

Slaporte added a comment.EditedMay 12 2015, 9:37 PM

@Dzahn, I confirmed that @ZhouZ is an employee and under NDA. He will need to access WMF-NDA as part of his work.

Thanks!

Dzahn added a comment.May 12 2015, 9:38 PM
In T98722#1278472, @Qgil wrote:>

Someone with permissions could update the description of WMF-NDA and add @ZhouZ.

@Qgil agree, looking at history you have added over 100 people (WMF employees) to this group before, do you just want to do the same here then?

Dzahn added a comment.May 12 2015, 9:50 PM

@Dzahn, I confirmed that @ZhouZ is an employee and under NDA. He will need to access WMF-NDA as part of his work.

Ok, thanks! Added to the group.

P.S. That project page says that we should never add people without a confirmed NDA. (if the theory that having an @wikimedia.org address is good enough that can be removed). But if we are supposed to check then I'm gonna note that we still don't have a defined way how to do that and I am not sure how it was done for previous cases where WMF employees have been added and what made this one different.

Dzahn closed this task as Resolved.May 12 2015, 9:51 PM
Qgil added a comment.May 13 2015, 8:41 AM

(Just for reference)

In T98722#1278472, @Qgil wrote:>

Someone with permissions could update the description of WMF-NDA and add @ZhouZ.

@Qgil agree, looking at history you have added over 100 people (WMF employees) to this group before, do you just want to do the same here then?

I did that in a single shot as part of the RT migration. Today I don't even have permissions to add members (and that's fine, since this is an Operations process). I'm for accepting automatically any @wikimedia.org from now on. If WMF-Legal has an objection, they can object. :)

Danny_B removed a subscriber: WMF-Legal.
Restricted Application added a subscriber: JEumerus. · View Herald TranscriptAug 8 2016, 12:07 PM

So everyone who has a @wikimedia.org account should be on a NDA and can be added to the WMF-NDA group. So going forward, that's all we should need to look for to add someone.

I am also going to contact HR about integrating this into the on-boarding process.

Dzahn removed a subscriber: Dzahn.Aug 8 2016, 10:27 PM

So everyone who has a @wikimedia.org account should be on a NDA and can be added to the WMF-NDA group. So going forward, that's all we should need to look for to add someone.

@ZhouZ: What type of account is a "@wikimedia.org account"? Also, Phabricator does not expose the email addresses of user accounts.

I am also going to contact HR about integrating this into the on-boarding process.

@ZhouZ: Your help moving T107136 forward is very welcome. (For the last half a year I have not been successful to get a reply in Phab.)

@ZhouZ: What type of account is a "@wikimedia.org account"? Also, Phabricator does not expose the email addresses of user accounts.

I am just going off based on Quim's comment above

Other WMF employees could be added just after their request. As you say, having a @wikimedia.org address is a good proof.I don't think they need to sign a second NDA with the same scope.

@wikimedia.org isn't just managed by OIT, non-staff run addresses there, for example anything going through OTRS.

That said I think everyone using OTRS has probably got done sort of NDA at this point?

@ZhouZ: Hmm, let me try to rephrase the problem:

So everyone who has a @wikimedia.org account should be on a NDA and can be added to the WMF-NDA group. So going forward, that's all we should need to look for to add someone.

I cannot look for or find out whether someone has a @wikimedia.org account. Phabricator does not show you what email address someone used for their Phab account. Hence it's not feasible. I can only check for the user name of an associated SUL account, or LDAP account. Both does not allow me to find out their email addresses either. Hence this is not feasible. :(

Ok I see - I was mistaken then.

It sounds like maybe the process should be someone should email an address requesting to be added by giving their Phabricator username from their @wikimedia.org account.

@wikimedia.org isn't just managed by OIT, non-staff run addresses there, for example anything going through OTRS.

True, but I was under the impression that at least the GMail/Google Apps accounts ending in @wikimedia.org are only given to people who have signed an NDA. (I seem to recall seeing some Google Drive content shared to this group based on this assumption.)

@wikimedia.org isn't just managed by OIT, non-staff run addresses there, for example anything going through OTRS.

True, but I was under the impression that at least the GMail/Google Apps accounts ending in @wikimedia.org are only given to people who have signed an NDA. (I seem to recall seeing some Google Drive content shared to this group based on this assumption.)

That's my impression as well, but you can't just email a random @wikimedia.org address and assume it'll be routed to a foundation staff member in Google Apps. @wikimedia.org addresses are used by more systems than just staff mail.

Qgil added a comment.Aug 11 2016, 2:54 PM

What about a task / email by their manager? It should be simple to verify the manager's username/email.

What about a task / email by their manager? It should be simple to verify the manager's username/email.

Yep that could work (I assume this means there's something about a manager that makes them easier to verify).

Qgil added a comment.Aug 12 2016, 10:16 AM

As opposed to new/recent hires, managers are supposed to either have been around for a while or have a properly verifiable credentials. And if not, then the first thing to fix is the verification of that manager.

Relatedly, T142830: Require/track Phabricator username proposes to store Phab username in LDAP.

What about a task / email by their manager? It should be simple to verify the manager's username/email.

Task comment, probably... which might sometimes require fixing the manager's account too.

Emails: No - insecure and error-prone technology. (Would mean returning to a single bottleneck of failure and require me to reply to such emails a la "Did you really send this email?" before I become a security expert about mail header spoofing, or require folks to sort out GPG for verification.)

So to recap what we want to do:

The process would be for any staff member requesting NDA access for their NDA account to create a phabricator task using their account (ccing @Aklapper) and have their manager request this access on the task for this particular staff account.

Folks who want access to file a task under WMF-NDA-Requests. I verify the account and check if it was created by Office IT. If it was not, I ask the person to make their manager comment on that task (and cross fingers that the manager's account was created by Office IT).
(For the records: The first two steps are documented on office:Guide_for_new_engineering_staff#Accounts)

FYI, I'd love WMF folks to get access already when onboarding. Help making progress in https://phabricator.wikimedia.org/T107136 is welcome.

I see - I have done more investigation into this process. Will update the other task then and close this one.