<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jul 11, 2014 at 2:19 PM, Ben Cotton <span dir="ltr"><<a href="mailto:bcotton@fedoraproject.org" target="_blank">bcotton@fedoraproject.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Thu, Jul 10, 2014 at 5:03 PM, Cristian Ciupitu<br>
<<a href="mailto:cristian.ciupitu@yahoo.com">cristian.ciupitu@yahoo.com</a>> wrote:<br>
<br>
> Aren't all actions reversible? Don't we have version control in git<br>
> repositories and also on the wiki? I'm thinking that in the worse case<br>
> scenario, the invalid content will exist only for a short period of<br>
> time.<br>
<br>
Sure, but that doesn't mean we shouldn't protect ourselves against it.<br>
Invalid information isn't as much of a concern, as that generally can<br>
be rolled back easily. But what about the case of malicious activity?<br>
Let's say Sparks snaps one day and posts libelous or threatening<br>
content. Sure that, too, can be reverted but the entire time it's up<br>
it reflects poorly on us and could potentially create legal issues.<br>
<br>
I'll grant that such a scenario is pretty unlikely (not the Sparks<br>
snapping part, but the part where he posts malicious content), but<br>
revoking unneeded access is still a good practice. If someone gets<br>
their git privileges revoked and they actually notice, it's not hard<br>
to give them privileges back. Heck, a stale member policy might<br>
motivate people to ensure they make a contribution sufficient to keep<br>
their bit set.<br>
<br>
One thing we haven't touched on is revoking membership in the Docs<br>
group. I explicitly left it out of my earlier post because it doesn't<br>
really grant any docs-related privilege. However, for some people it's<br>
the difference between being able to vote in elections and not. Is it<br>
appropriate for someone who has made no direct contribution in 5 years<br>
to continue to be able to vote? That's a decision for the Board and<br>
the community at-large, but it's another potential impact of the<br>
implementation details of a stale member policy.<br>
<span class=""><font color="#888888"><br>
<br>
BC<br>
<br>
--<br>
Ben Cotton<br></font></span></blockquote><div><br></div><div>You know, when you put it that way, I think maybe we *should* be pulling Docs memberships. It would be a board level decision to require cla+1 or cla+2 or cla+1+logged-in-within-N-months for elections or mail aliases or whatever but I think the composition of individual groups is up to the policies of that particular group. There's precedent for in *gaining* membership, and for removing it[3]. At the group level, the question is "Does this person participate in our group" - and as you point out, the question of keeping peripheral benefits or privileges is one for the individual.<br>
<br></div><div>For me, it's not as much about security as representing the group accurately. I just typed out and reconsidered about six tedious examples of why that's a good thing, and decided I'd rather hear the other side if need be, arguments why keeping accounts around as members of a group that they've clearly left behind is better for that group. <br>
<br>Security is still a valid concern on principle; the extent to which we trust the individuals in question isn't really relevant. No need for commit access == no access.<br><br><br>[3] <a href="https://fedoraproject.org/wiki/Ambassadors/MembershipService#Removal_Process_for_Ambassador.27s_Membership">https://fedoraproject.org/wiki/Ambassadors/MembershipService#Removal_Process_for_Ambassador.27s_Membership</a><br>
<br></div><div>--Pete<br></div></div></div></div>