Mattia Verga via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> writes: > Just being paranoid here: do we have any policy / automatism for > disabling "power" users (in packager group or like) which have been > inactive for long time? > > I'm no security expert, but an inactive user account may be hacked > without noticing and if such account have powers like being in the > packager group may inject bad things in the distribution. > I also imagine the case where a user no more use their email address and > that become available to someone else. The new user may easily reset the > password and gain access to the old Fedora account (provided that the > old user didn't use 2fa). > > Does it make sense to start thinking to prune inactive packagers without > waiting someone to start the "unresponsive maintainer policy"? Maybe a > script could check user activities in src.fedoraproject.org and send a > warning email if no activity is made in one year? Sounds like a good idea to me and waiting for a year of inactivity is imho a reasonable amount of time, if we give them enough time to respond *and* also provide a way to reactivate a deactivated account. Cheers, Dan _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
