bug-gnulib
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

removing permissions for long unused accounts, take 2

From: Bruno Haible
Subject: removing permissions for long unused accounts, take 2
Date: Wed, 13 Jul 2022 07:18:17 +0200 
Hi,

I started this topic in 2021, in [1]: a proposal to remove write
permissions from accounts who haven't pushed in a long while.
There was agreement [2] that contributors who had not directly pushed
a commit in a year could be revoked the write permission.

The discussion ended with the question who of the gnulib savannah
admins wanted to do it.

What has changed since then:

  * The log4j incident in December 2021 and a couple of similar
    incidents in the npm world have brought to everyone's attention
    that software supply chain is critical.
    As a reaction, the Linux Foundation has created a sub-foundation [3],
    GitHub will make 2FA mandatory by the end of 2023 [4], and similar
    moves are underway in the Ruby and Python communities [5].

In GNU, Gnulib is probably, together with the Autotools, one of the
most critical elements of the software supply chain. If a trojan/malware
commit gets into Gnulib, we would have big trouble.

Also:

  * Since July 2021, I am co-maintainer of Gnulib, and one of the gnulib
    savannah admins.

Therefore I would now like to actually do it.

Dmitry's recipe [6] gives the following result:

$ git log --pretty=fuller --since='1 year' | git shortlog -c -s
     1      Akim Demaille
     1      Ben Pfaff
     4      Bernhard Voelker
   262      Bruno Haible
     5      Jim Meyering
    31      Karl Berry
     2      Marc Nieper-Wißkirchen
   214      Paul Eggert
     5      Pádraig Brady
     1      Reuben Thomas
    17      Simon Josefsson

Also, I wouldn't want to remove Eric Blake, since he's an admin too.

So, the list of people (to notify per mail and to remove from the
membership list on savannah) are the following:

  Assaf Gordon
  Andreas Gruenbacher
  Bruce Korb
  Ludovic Courtès
  Derek Robert Price
  Eli Zaretskii
  Gary V. Vaughan
  Gerd Moellmann
  Dmitry Selyutin
  Sergey Poznyakoff
  James Youngman
  Joel E. Denny
  Kamil Dudka
  Dmitry V. Levin
  Stefan Monnier
  Richard M. Stallman
  Ralf Wildenhues
  Siddhesh Poyarekar
  Stefano Lattarini
  Daiki Ueno
  Jeff Bailey

OK to proceed?

      Bruno

[1] https://lists.gnu.org/archive/html/bug-gnulib/2021-02/msg00070.html
[2] https://lists.gnu.org/archive/html/bug-gnulib/2021-02/msg00085.html
[3] 
https://www.linuxfoundation.org/blog/linux-foundation-defending-the-global-software-supply-chain-from-cyberattacks-in-2021/
[4] 
https://www.theverge.com/2022/5/4/23056799/github-contributors-2fa-two-factor-authentication-2023
[5] 
https://portswigger.net/daily-swig/pypi-repo-to-distribute-4-000-security-keys-to-maintainers-of-critical-projects-in-2fa-drive
[6] https://lists.gnu.org/archive/html/bug-gnulib/2021-02/msg00087.html
reply via email to
[Prev in Thread] Current Thread [Next in Thread]