On 11/02/2022 07:54, Zbigniew Jędrzejewski-Szmek wrote:
With 1500+ unused accounts it is just*too easy*
for someone to find a way to access one of the accounts in an unauthorized
way.
What they can do with this? Pushing a new update for the foo-bar
package? We have Bodhi against this.
In particular, if we removed the 'packager' bit, people would still
have the account and all history associated with it.
If you remove "packager" status, this user will probably leave Fedora.
Maintainers are the main value of the distribution. We shouldn't offend
and forcing them to leave Fedora.
For the identified users with no activity, I suppose that sending one
email per year asking "hey, is this still your email account and are you
still engaged in Fedora packaging" would be no harm.
And you make life easier for potential hackers.
They will simply copy this email and send it to all Fedora contributors.
Some of them will follow the link and hackers will get a lot of real
working accounts.
--
Sincerely,
Vitaly Zaitsev (vitaly@xxxxxxxxxxxxxx)
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
