removing permissions for long unused accounts?

[Bruno Haible]

Hi,

On another GNU mailing list, someone is writing:

  Since I no longer work on <PACKAGE> I give
  you permission to remove my git server access (the key). If I ever
  change my mind about this, we can work out a new solution.

  Can you please check if I have any other privileged accounts or rights
  left in the infrastructure? Even though we have not used password
  based logins, I don't want to be a security liability with possible
  effects for myself and for you.

I tend to agree that everyone who has write access to the repository
poses a certain (small) security risk; the SSH private key might be
compromised. Therefore it sounds like a reasonable security measure
to revoke the write access for users who have been inactive for a
certain time, say 4 years.

Would you agree with that?

The following people still have write access to the gnulib repository
and have not done any commits in 4 years:

  Andreas Grünbacher
  Bruce Korb
  Ludovic Courtès
  Derek R. Price
  Eli Zaretskii
  Gary V. Vaughan
  Gerd Moellmann
  Sergey Poznyakoff
  Joel E. Denny
  Kamil Dudka
  Stefan Monnier
  Richard M. Stallman
  Ralf Wildenhues
  Stefano Lattarini

I would like to emphasize that removal of write access would *not* be
a disapproval of past work, nor related to lack of friendship. Just a
security measure.

What do you think?

Bruno