Mattia Verga via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> writes: > Il 11/02/22 07:54, Zbigniew Jędrzejewski-Szmek ha scritto: >> On Thu, Feb 10, 2022 at 11:05:03PM +0000, Gary Buhrmaster wrote: >>> On Thu, Feb 10, 2022 at 9:58 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote: >>> >>>> I have concerns with this approach. I would guess there's a long tail >>>> of packagers that maintain relatively few packages. These packages >>>> might not have frequent upstream releases or require new manual >>>> builds. >>> There are a lot of packages in Fedora that are, for all >>> practical purposes, "functionally stabilized" upstream. >>> They get recompiled at the mass rebuild, but otherwise >>> are in "if it ain't broke, don't fix it" mode (upstream and >>> packaging). And that seems fine to me. >>> >>>> If we were to automate it, we absolutely should have a >>>> trivial way for people to regain packager status (i.e. not >>>> have to get re-sponsored, etc). >>> The question is then what are you protecting against? >>> If you can reset your password (via email link), and >>> then click a button that says "I'm BACK!", you return >>> to the original concern that was raised about whether >>> this is really the same person you think it is. >> You are right, it seems hard to do this in a way that has an actual >> effect without offending real people. But I think we should try >> to find some way. With 1500+ unused accounts it is just *too easy* >> for someone to find a way to access one of the accounts in an unauthorized >> way. Essentially, if you get access to one the email accounts, you can >> reset the FAS password. I'd guess that a large fraction of those mail >> addresses are on univerisities all around the world, and somebody might >> do it just for kicks. >> >> In particular, if we removed the 'packager' bit, people would still >> have the account and all history associated with it. If they ever >> want to starting doing packaging work directly (because note that they >> don't actually need it if they're active but somebody else is submitting >> the builds), I think a manual procedure where you have to e.g. open >> a ticket on sponsors tracker to ask to be reinstantated would be OK. >> > This is exactly my point of view. My proposal wasn't meant for kicking > off anyone, I was just proposing a periodic check of who's still > overseeing their account. > > I'll try to write down a quick script which should expand the one from > Ben by looking for any activity in the last year in > src.fedoraproject.org instead of Koji, then check those users for any > activity in Fedora (datagrepper?). > > For the identified users with no activity, I suppose that sending one > email per year asking "hey, is this still your email account and are you > still engaged in Fedora packaging" would be no harm. And, if no reply is > received after an adequate period (2 weeks?), removing the "packager" > bit from the account would be no harm as well. I'm not proposing to > delete their account. I'd suggest to make it a month at least, just in case someone takes a longer vacation. > The only issue would be how to handle packages that are maintained from > such users, I think they'd need to be orphaned. That's really the only sensible option imho. Cheers, Dan _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
