On Tue, Dec 22, 2020 at 12:39:56PM -0800, Adam Williamson wrote:
A propos of some discussion of the Solarwinds news, it occurred to
me
to check how many proven packager accounts there are in FAS. There are
251, which seems like a lot. Then it occurred to me to check how many
of them are inactive, so I wrote a little script:
...snip...
that's 90 of the 251 who still have provenpackager privileges, but
haven't run any kind of Koji build since at least 2019-01-01 (if you
check, it turns out many of them haven't run a build since long before
then). Many of them, to my knowledge, don't work on Fedora at all any
more and haven't for years. At least one of them, to my and everyone
else's knowledge, is sadly dead and has been for some time. One account
- it's Greg Dekoenigsberg - somehow is in the FAS pp group but doesn't
exist in koji (any more?)
Do note that some of these people have accounts and group memebership,
but their accounts in fas are disabled/inactive.
Perhaps we need a process for cleaning up membership of this
extremely
powerful group? If the FAS password of *any one* of those user accounts
were somehow compromised (or if just one of them decided they had a
grudge against Fedora now and were going to have some fun), the results
could be...unfortunate.
Oh look, flashback 13 years:
https://fedoraproject.org/wiki/User:JesseKeating/AutomatedMIAProposal?rd=...
Anyhow, I was in favor of something then, but it got shouted down, and I
am still in favor now of some kind of checkin process. I think it should
be light weight tho... always being bothered is bad. On the other hand
it's hard to know how to notify people. If you send email once a week
for 4 weeks and get no answer does that mean they are missing? Or that
your email is going to the spam folder? Or that they are on a long
vacation not checking email? It's hard to balance.
kevin