On Fri, Jul 11, 2014 at 2:19 PM, Ben Cotton <bcotton@xxxxxxxxxxxxxxxxx> wrote:
On Thu, Jul 10, 2014 at 5:03 PM, Cristian Ciupitu
<cristian.ciupitu@xxxxxxxxx> wrote:
> Aren't all actions reversible? Don't we have version control in git
> repositories and also on the wiki? I'm thinking that in the worse case
> scenario, the invalid content will exist only for a short period of
> time.
Sure, but that doesn't mean we shouldn't protect ourselves against it.
Invalid information isn't as much of a concern, as that generally can
be rolled back easily. But what about the case of malicious activity?
Let's say Sparks snaps one day and posts libelous or threatening
content. Sure that, too, can be reverted but the entire time it's up
it reflects poorly on us and could potentially create legal issues.
I'll grant that such a scenario is pretty unlikely (not the Sparks
snapping part, but the part where he posts malicious content), but
revoking unneeded access is still a good practice. If someone gets
their git privileges revoked and they actually notice, it's not hard
to give them privileges back. Heck, a stale member policy might
motivate people to ensure they make a contribution sufficient to keep
their bit set.
One thing we haven't touched on is revoking membership in the Docs
group. I explicitly left it out of my earlier post because it doesn't
really grant any docs-related privilege. However, for some people it's
the difference between being able to vote in elections and not. Is it
appropriate for someone who has made no direct contribution in 5 years
to continue to be able to vote? That's a decision for the Board and
the community at-large, but it's another potential impact of the
implementation details of a stale member policy.
BC
--
Ben Cotton
You know, when you put it that way, I think maybe we *should* be pulling Docs memberships. It would be a board level decision to require cla+1 or cla+2 or cla+1+logged-in-within-N-months for elections or mail aliases or whatever but I think the composition of individual groups is up to the policies of that particular group. There's precedent for in *gaining* membership, and for removing it[3]. At the group level, the question is "Does this person participate in our group" - and as you point out, the question of keeping peripheral benefits or privileges is one for the individual.
For me, it's not as much about security as representing the group accurately. I just typed out and reconsidered about six tedious examples of why that's a good thing, and decided I'd rather hear the other side if need be, arguments why keeping accounts around as members of a group that they've clearly left behind is better for that group.
Security is still a valid concern on principle; the extent to which we trust the individuals in question isn't really relevant. No need for commit access == no access.
[3] https://fedoraproject.org/wiki/Ambassadors/MembershipService#Removal_Process_for_Ambassador.27s_Membership
Security is still a valid concern on principle; the extent to which we trust the individuals in question isn't really relevant. No need for commit access == no access.
[3] https://fedoraproject.org/wiki/Ambassadors/MembershipService#Removal_Process_for_Ambassador.27s_Membership
--Pete
-- docs mailing list docs@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/docs
