On 09/02/2022 08:03, Mattia Verga via devel wrote:
Just being paranoid here: do we have any policy / automatism for
disabling "power" users (in packager group or like) which have been
inactive for long time?
Some maintainers don't have recent commits or Koji builds because other
Fedora contributors maintain their packages. Do you want to delete all
these users from Fedora completely?
I think this is a very bad idea. We shouldn't offend people.
I'm no security expert, but an inactive user account may be
hacked
without noticing and if such account have powers like being in the
packager group may inject bad things in the distribution.
That's why we have Bodhi. All updates must reach a positive karma
threshold or remain in testing for 7 days.
Also, I don't remember such precedents in the entire history of Fedora.
Maybe a
script could check user activities in
src.fedoraproject.org and send a
warning email if no activity is made in one year?
You don't need to be logged into
src.fedoraproject.org or
account.fedoraproject.org to maintain packages. You can simply make
commits and send them to Bodhi using CLI tools.
--
Sincerely,
Vitaly Zaitsev (vitaly(a)easycoding.org)