[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: removing permissions for long unused accounts, take 2
From: |
Jim Meyering |
Subject: |
Re: removing permissions for long unused accounts, take 2 |
Date: |
Tue, 12 Jul 2022 23:22:30 -0700 |
On Tue, Jul 12, 2022 at 10:18 PM Bruno Haible <bruno@clisp.org> wrote:
> Hi,
>
> I started this topic in 2021, in [1]: a proposal to remove write
> permissions from accounts who haven't pushed in a long while.
> There was agreement [2] that contributors who had not directly pushed
> a commit in a year could be revoked the write permission.
>
> The discussion ended with the question who of the gnulib savannah
> admins wanted to do it.
>
> What has changed since then:
>
> * The log4j incident in December 2021 and a couple of similar
> incidents in the npm world have brought to everyone's attention
> that software supply chain is critical.
> As a reaction, the Linux Foundation has created a sub-foundation [3],
> GitHub will make 2FA mandatory by the end of 2023 [4], and similar
> moves are underway in the Ruby and Python communities [5].
>
> In GNU, Gnulib is probably, together with the Autotools, one of the
> most critical elements of the software supply chain. If a trojan/malware
> commit gets into Gnulib, we would have big trouble.
>
> Also:
>
> * Since July 2021, I am co-maintainer of Gnulib, and one of the gnulib
> savannah admins.
>
> Therefore I would now like to actually do it.
...
> OK to proceed?
Thanks for taking this on. Fine with me.
- removing permissions for long unused accounts, take 2, Bruno Haible, 2022/07/13
- Re: removing permissions for long unused accounts, take 2, Dmitry Selyutin, 2022/07/13
- Re: removing permissions for long unused accounts, take 2,
Jim Meyering <=
- Re: removing permissions for long unused accounts, take 2, Simon Josefsson, 2022/07/13
- Re: removing permissions for long unused accounts, take 2, Paul Eggert, 2022/07/13