that's 90 of the 251 who still have provenpackager privileges, but
haven't run any kind of Koji build since at least 2019-01-01 (if you
check, it turns out many of them haven't run a build since long before
then). Many of them, to my knowledge, don't work on Fedora at all any
more and haven't for years. At least one of them, to my and everyone
else's knowledge, is sadly dead and has been for some time. One account
- it's Greg Dekoenigsberg - somehow is in the FAS pp group but doesn't
exist in koji (any more?)
Perhaps we need a process for cleaning up membership of this extremely
powerful group? If the FAS password of *any one* of those user accounts
were somehow compromised (or if just one of them decided they had a
grudge against Fedora now and were going to have some fun), the results
could be...unfortunate.
Security implications are one thing, but it's also unfortunate that these accounts (and related packages) exist in limbo.
Would it perhaps make sense to extend/improve your script, run it once every half a year and contact the packagers to check with them whether they're still interested in Fedora?
Best,
Andy