On Wed, 2020-12-23 at 00:49 +0000, Peter Robinson wrote:
On Wed, Dec 23, 2020 at 12:37 AM Peter Robinson pbrobinson@gmail.com wrote:
On Wed, Dec 23, 2020 at 12:20 AM Kevin Fenzi kevin@scrye.com wrote:
On Tue, Dec 22, 2020 at 11:22:17PM +0000, Peter Robinson wrote:
On Tue, Dec 22, 2020 at 11:02 PM Kevin Fenzi kevin@scrye.com wrote:
On Tue, Dec 22, 2020 at 10:29:11PM +0000, Peter Robinson wrote:
I think what ever process is run at the point their account is disabled should revoke all privileges, that's a fairly standard IT security procedure.
There's no process for packages/provenpackagers.
We do have a process for infrastructure/sysadmins:
https://docs.pagure.org/infra-docs/sysadmin-guide/sops/departing-admin.html
But it only triggers when we _know_ someone isn't contributing anymore (they tell us, etc).
How were the accounts disabled though? Is there a process for that or how did that happen in this context?
Accounts can be disabled two ways:
- The user logs in and marks the account 'inactive'. To change
this back to active they have to reset their password and login again and change it back.
- An admin can change users to 'disabled' where they cannot
change that without intervention.
In both cases all ACLs should be removed, if in the former they wish to have what ever access back there can be a documented process to file a ticket for it.
Just to expand on this a little. Removing access from people that have left the project either because they've decided they're able to continue to contribute (option 1) or because something has triggered an admin process (option 2) isn't a slight on the person involved in any of this process and removing a well earned ACL doesn't remove any of the contributions or the value they provided in the past.
But we have to realise than inactive accounts may mean associated inactive email addresses or other things associated with a person which may be open to compromise as well and we need to protect the project as a whole as after-all if a fellow contributor has moved on to better things account is used to comprise everything where does that leave us?
Maybe mandatory password/key rotation is an option? With your account disabled after a grace period if the password is expired.
We can start with enforcing this for people who have membership in important groups (e.g. provenpackager, sponsors).