Re: [Savannah-hackers] [support #103008] Account removal

savannah-hackers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers] [support #103008] Account removal

From:	Sylvain Beucler
Subject:	Re: [Savannah-hackers] [support #103008] Account removal
Date:	Wed, 14 Apr 2004 21:59:37 +0200

It is not really related but:
For changing e-mails:
"I suggest that we follow this procedure:

* Send a message to the address on file, and see if it bounces. Ifit doesn't bounce, then we must ask the original user why, and decidewhat to do on a case by case basis. We should be EXTREMELY reluctant-- if not outright REFUSE -- to change an email address if the one onfile does not bounce.

* If the mail does bounce, we should ask the user if they canproduce any evidence that they once had that email address. The bestevidence would be a GPG-signed message that is signed with a key thathas both their old and new email address on it, and that the GPG key beavailable from a well-known public keyserver. While this could beforged, it would be substantial work to do so and could easily getdiscovered.

(Note, this is why I say the key much be on a public keyserver.Even if they forge the key to refer to email addresses they don'tcontrol (i.e., generate a key that includes bogus info), putting on apublic key server could likely flag the real owner of the emailaddress.)

* If they cannot use the GPG solution, I suppose we should acceptany plausible explanation for why their old email address is bouncing(e.g., changed ISP). If someone truly wants to social engineer theirway into commit access on a project, they can likely do it. We can'tbeat it; we can just make it some effort to succeed in such socialengineering.

Do any savannah-hackers object to this procedure? If not, then pleasego ahead with it."

(bkuhn)

In our case, the user still has access to access to the old account andposted the request with it. Moreover, there is indeed another account(maarten), which has a valid address (while stevenmaarten do not - justcheck the corresponding SF user page). So it should enough to deletethe account w/o confirmation.


--
Sylvain



On 2004.04.14 22:11, Elfyn McBratney wrote:

> Original Submission:  Can the account "stevenmaarten" please be
removed,
> for i have another one.

What would be the procedure for this?  I can remove accounts but
should I
verify him with a GPG-signed request or something similar?

[Prev in Thread]

Current Thread

[Next in Thread]

[Savannah-hackers] [support #103008] Account removal, Steven en Maarten Deprez, 2004/04/14
- Re: [Savannah-hackers] [support #103008] Account removal, Elfyn McBratney, 2004/04/14
  - Re: [Savannah-hackers] [support #103008] Account removal, Sylvain Beucler <=
    - Re: [Savannah-hackers] [support #103008] Account removal, Elfyn McBratney, 2004/04/14
- [Savannah-hackers] [support #103008] Account removal, Elfyn McBratney, 2004/04/14

Prev by Date: [Savannah-hackers] [support #102999] Project registration interrupted - cant register
Next by Date: Re: [Savannah-hackers] [support #103008] Account removal
Previous by thread: Re: [Savannah-hackers] [support #103008] Account removal
Next by thread: Re: [Savannah-hackers] [support #103008] Account removal
Index(es):
- Date
- Thread