Description
Current status
At the moment, to manage private streams automatically within this repo, we add the rust-lang-owner user to the stream.
See:
team/sync-team/src/zulip/mod.rs
Line 33 in 353e763
This isn't great because users with access to the rust-lang-owner user credentials (i.e. the members of the infra-admins team) can log in with that user and read private conversations.
Proposed change
As noted in #t-infra > zulip Moderator vs mods @ 💬, there's a setting in zulip channels that allow to specify users that can add other people to the channel while not being part of the channel.
This means that rust-lang-owner could add people from the channel without being part of it. There's also the field "who can unsubscribe anyone from this channel", which would allow rust-lang-owner to also remove people from the channel.
Proof
- I created a test channel that only has me
- I added rust-lang in that setting field
- As you can see from the following picture, rust-lang-owner isn't present in the channel members:
How to
People who created the private stream could add rust-lang-owner to both those fields, so that from that point on, the stream can be managed in this repo.
Alternative
An alternative useful for streams that need to be created from scratch, is that:
rust-lang-ownercreates the stream, setting itself as a stream administrator- adds all the members to the stream
- removes itself from the stream members, leaving itself as stream administrator
More context
The only private stream configured through this repo we have at the moment is t-compiler/contrib-private:
Line 141 in 353e763
This is just a mitigation
Note that people with access to rust-lang-owner can still add themselves or rust-lang-owner to private streams and read the messages, but when doing so, at least they would leave a trace.