[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: removing permissions for long unused accounts?
From: |
Jim Meyering |
Subject: |
Re: removing permissions for long unused accounts? |
Date: |
Sun, 21 Feb 2021 12:58:17 -0800 |
On Sun, Feb 21, 2021 at 10:36 AM Jeffrey Walton <noloader@gmail.com> wrote:
>
> On Sun, Feb 21, 2021 at 1:20 PM Bruno Haible <bruno@clisp.org> wrote:
> >
> > On another GNU mailing list, someone is writing:
> >
> > Since I no longer work on <PACKAGE> I give
> > you permission to remove my git server access (the key). If I ever
> > change my mind about this, we can work out a new solution.
> >
> > Can you please check if I have any other privileged accounts or rights
> > left in the infrastructure? Even though we have not used password
> > based logins, I don't want to be a security liability with possible
> > effects for myself and for you.
> >
> > I tend to agree that everyone who has write access to the repository
> > poses a certain (small) security risk; the SSH private key might be
> > compromised. Therefore it sounds like a reasonable security measure
> > to revoke the write access for users who have been inactive for a
> > certain time, say 4 years.
> >
> > Would you agree with that?
> >
> > The following people still have write access to the gnulib repository
> > and have not done any commits in 4 years:
> >
> > Andreas Grünbacher
> > Bruce Korb
> > Ludovic Courtès
> > Derek R. Price
> > Eli Zaretskii
> > Gary V. Vaughan
> > Gerd Moellmann
> > Sergey Poznyakoff
> > Joel E. Denny
> > Kamil Dudka
> > Stefan Monnier
> > Richard M. Stallman
> > Ralf Wildenhues
> > Stefano Lattarini
> >
> > I would like to emphasize that removal of write access would *not* be
> > a disapproval of past work, nor related to lack of friendship. Just a
> > security measure.
> >
> > What do you think?
>
> >From a governance standpoint, I think four years is too long. Active
> developers should have write access, others should not.
>
> I would consider dropping the threshold to 90 days or 1 year.
Limiting access is good for security, indeed. I like the idea.
I agree that four years feels too long.
Maybe a middle ground of 2 years, at least for the first round?