On Wed, Dec 23, 2020 at 12:49:10AM +0000, Peter Robinson wrote:
Just to expand on this a little. Removing access from people that have
left the project either because they've decided they're able to
continue to contribute (option 1) or because something has triggered
an admin process (option 2) isn't a slight on the person involved in
any of this process and removing a well earned ACL doesn't remove any
of the contributions or the value they provided in the past.
Completely agreed!
But we have to realise than inactive accounts may mean associated
inactive email addresses or other things associated with a person
which may be open to compromise as well and we need to protect the
project as a whole as after-all if a fellow contributor has moved on
to better things account is used to comprise everything where does
that leave us?
Group membership is easily re-instated, trust after a security
compromise.... not so much!
Well, we might need to think about that too though.
Say we have a contributor that is very active, in tons of groups.
They go inactive. We remove their group membership after a while.
Then, years later they appear and send an email from their old gmail
account 'Hi, I'm back, please re-add me to all my old groups".
How do we know thats really the old contributor vs just someone who
reclaimed a old gmail account?
but anyhow, lots to consider here... we probibly need to come up with a
straw man proposal for everyone to poke holes in after the new year.
kevin