Add Catena-X Security Group (READ ONLY)

[SSIRKC]

Hi guys,

as mentioned in the office hours we currently have no committers by the security team that CAN SEE the security advisories due to view rights. To solve this we would like to be added to each product in the Tractus-X repo with READ rights.

Our Request To EF:
To achieve this efficientely it was suggested to have a SIG-Security group to be added as a TEAM in the Tractus-X repository.
Otherwise each product owner has to add each one of us with view rights to his product repository.

It would be great if you can create such a group as EF also has a security group with view rights.

Kind regards
Kristian Cicka

[SebastianBezold]

ping @netomi: Could you maybe have a look at this and clarify, if the EF would do something like that?

[netomi]

we could create a separate team for the organization for all security team members and add that team as security managers for the organization. For some projects we added all committers as security managers, but that would not work for tractusx but the separate team that is anyway responsible for that would make sense.

[SebastianBezold]

Ok sounds reasonable to me. What do you think @SSIRKC?
@netomi, how would on- and offboarding members to this new team work? Is it a PR done by a committer to the otterdog config, or would that happen via Help Desk ticket?

[netomi]

yeah, creating and updating the team should go via HelpDesk for visibility.

[SSIRKC]

Hi @SebastianBezold , @netomi ,

yes that would be great to have another team/group for the Catena-X security team.
Any other solution would be alot of effort. How can this be created @netomi ?

[netomi]

Open a HelpDesk ticket and list the names of people that should be part of that team + some approval from a project lead.

[SSIRKC]

@netomi done

https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/4166#note_1653900