Re: removing permissions for long unused accounts?

[Jeffrey Walton]

On Sun, Feb 21, 2021 at 1:20 PM Bruno Haible <bruno@clisp.org> wrote:
>
> On another GNU mailing list, someone is writing:
>
>   Since I no longer work on <PACKAGE> I give
>   you permission to remove my git server access (the key). If I ever
>   change my mind about this, we can work out a new solution.
>
>   Can you please check if I have any other privileged accounts or rights
>   left in the infrastructure? Even though we have not used password
>   based logins, I don't want to be a security liability with possible
>   effects for myself and for you.
>
> I tend to agree that everyone who has write access to the repository
> poses a certain (small) security risk; the SSH private key might be
> compromised. Therefore it sounds like a reasonable security measure
> to revoke the write access for users who have been inactive for a
> certain time, say 4 years.
>
> Would you agree with that?
>
> The following people still have write access to the gnulib repository
> and have not done any commits in 4 years:
>
>   Andreas Grünbacher
>   Bruce Korb
>   Ludovic Courtès
>   Derek R. Price
>   Eli Zaretskii
>   Gary V. Vaughan
>   Gerd Moellmann
>   Sergey Poznyakoff
>   Joel E. Denny
>   Kamil Dudka
>   Stefan Monnier
>   Richard M. Stallman
>   Ralf Wildenhues
>   Stefano Lattarini
>
> I would like to emphasize that removal of write access would *not* be
> a disapproval of past work, nor related to lack of friendship. Just a
> security measure.
>
> What do you think?

>From a governance standpoint, I think four years is too long. Active
developers should have write access, others should not.

I would consider dropping the threshold to 90 days or 1 year.

Jeff