Il 11/02/22 07:54, Zbigniew Jędrzejewski-Szmek ha scritto: > On Thu, Feb 10, 2022 at 11:05:03PM +0000, Gary Buhrmaster wrote: >> On Thu, Feb 10, 2022 at 9:58 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote: >> >>> I have concerns with this approach. I would guess there's a long tail >>> of packagers that maintain relatively few packages. These packages >>> might not have frequent upstream releases or require new manual >>> builds. >> There are a lot of packages in Fedora that are, for all >> practical purposes, "functionally stabilized" upstream. >> They get recompiled at the mass rebuild, but otherwise >> are in "if it ain't broke, don't fix it" mode (upstream and >> packaging). And that seems fine to me. >> >>> If we were to automate it, we absolutely should have a >>> trivial way for people to regain packager status (i.e. not >>> have to get re-sponsored, etc). >> The question is then what are you protecting against? >> If you can reset your password (via email link), and >> then click a button that says "I'm BACK!", you return >> to the original concern that was raised about whether >> this is really the same person you think it is. > You are right, it seems hard to do this in a way that has an actual > effect without offending real people. But I think we should try > to find some way. With 1500+ unused accounts it is just *too easy* > for someone to find a way to access one of the accounts in an unauthorized > way. Essentially, if you get access to one the email accounts, you can > reset the FAS password. I'd guess that a large fraction of those mail > addresses are on univerisities all around the world, and somebody might > do it just for kicks. > > In particular, if we removed the 'packager' bit, people would still > have the account and all history associated with it. If they ever > want to starting doing packaging work directly (because note that they > don't actually need it if they're active but somebody else is submitting > the builds), I think a manual procedure where you have to e.g. open > a ticket on sponsors tracker to ask to be reinstantated would be OK. > This is exactly my point of view. My proposal wasn't meant for kicking off anyone, I was just proposing a periodic check of who's still overseeing their account. I'll try to write down a quick script which should expand the one from Ben by looking for any activity in the last year in src.fedoraproject.org instead of Koji, then check those users for any activity in Fedora (datagrepper?). For the identified users with no activity, I suppose that sending one email per year asking "hey, is this still your email account and are you still engaged in Fedora packaging" would be no harm. And, if no reply is received after an adequate period (2 weeks?), removing the "packager" bit from the account would be no harm as well. I'm not proposing to delete their account. The only issue would be how to handle packages that are maintained from such users, I think they'd need to be orphaned. Mattia _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
