On Wed, Dec 23, 2020 at 12:49:10AM +0000, Peter Robinson wrote: > > Just to expand on this a little. Removing access from people that have > left the project either because they've decided they're able to > continue to contribute (option 1) or because something has triggered > an admin process (option 2) isn't a slight on the person involved in > any of this process and removing a well earned ACL doesn't remove any > of the contributions or the value they provided in the past. Completely agreed! > But we have to realise than inactive accounts may mean associated > inactive email addresses or other things associated with a person > which may be open to compromise as well and we need to protect the > project as a whole as after-all if a fellow contributor has moved on > to better things account is used to comprise everything where does > that leave us? > > Group membership is easily re-instated, trust after a security > compromise.... not so much! Well, we might need to think about that too though. Say we have a contributor that is very active, in tons of groups. They go inactive. We remove their group membership after a while. Then, years later they appear and send an email from their old gmail account 'Hi, I'm back, please re-add me to all my old groups". How do we know thats really the old contributor vs just someone who reclaimed a old gmail account? but anyhow, lots to consider here... we probibly need to come up with a straw man proposal for everyone to poke holes in after the new year. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
