On Thu, Feb 10, 2022 at 11:05:03PM +0000, Gary Buhrmaster wrote: > On Thu, Feb 10, 2022 at 9:58 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote: > > > I have concerns with this approach. I would guess there's a long tail > > of packagers that maintain relatively few packages. These packages > > might not have frequent upstream releases or require new manual > > builds. > > There are a lot of packages in Fedora that are, for all > practical purposes, "functionally stabilized" upstream. > They get recompiled at the mass rebuild, but otherwise > are in "if it ain't broke, don't fix it" mode (upstream and > packaging). And that seems fine to me. > > > If we were to automate it, we absolutely should have a > > trivial way for people to regain packager status (i.e. not > > have to get re-sponsored, etc). > > The question is then what are you protecting against? > If you can reset your password (via email link), and > then click a button that says "I'm BACK!", you return > to the original concern that was raised about whether > this is really the same person you think it is. You are right, it seems hard to do this in a way that has an actual effect without offending real people. But I think we should try to find some way. With 1500+ unused accounts it is just *too easy* for someone to find a way to access one of the accounts in an unauthorized way. Essentially, if you get access to one the email accounts, you can reset the FAS password. I'd guess that a large fraction of those mail addresses are on univerisities all around the world, and somebody might do it just for kicks. In particular, if we removed the 'packager' bit, people would still have the account and all history associated with it. If they ever want to starting doing packaging work directly (because note that they don't actually need it if they're active but somebody else is submitting the builds), I think a manual procedure where you have to e.g. open a ticket on sponsors tracker to ask to be reinstantated would be OK. > Perhaps *an* approach to identify inactive packagers is for packages > that have enabled release monitoring (and more probably should be), > and for which new upstream releases have been identified, and the > packager has not yet taken the steps to at least start to update to > that new release in a reasonable timeframe (12 months?). A quick > (and likely bad and incomplete) bugzilla search shows over 1000 > tickets where there are upstream updates that are still in NEW > status in bugzilla and had been (initially) opened over a year ago. > I think that represents around 350 unique people. Those people may > be otherwise active, of course, but those packages themselves look > to be under maintained. Such "dead" packages are a problem in their own… At least we're doing much better now with orphanining unbuildable packages than a few years ago. I think a good direction here would be to automatically connect more packages to package-monitoring. Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
