If groups are referenced by name only and data can be found later it should be ok.
(Some systems have used group IDs that can be unique, but I am not aware of any at the moment, the same ID can be impossible to create. In that case group should just be hidden from general users.)

Jan

From: Kevin Fenzi <kevin@scrye.com>
Sent: Monday, April 19, 2021 9:29 PM
To: infrastructure@lists.fedoraproject.org <infrastructure@lists.fedoraproject.org>
Subject: account system group deletions
 
Greetings.

I thought I would bring up for dicussion here something thats come up
after the new account system has been put in place.

Namely, how do we handle group deletions.
In the FAS2 world, we never deleted anything. I think this was partly
due to an over abundence of caution (there could be files owned by the
group left over on various machines) and partly just because it was
easier.

We now have 5 requests to remove various no longer used groups.

I've enabled audit logging on our ipa01 instance, so we have audit logs
(and I intend to back them up and keep them forever). So we can tell
when a group was deleted by whom. We also have a db dump from fas2
before the switchover where we can look at who was in what group or what
created it.

So, I would like to propose:

* we will remove groups on request/ticket from a group manager.
* we will not seek out groups to remove, as them being there doesn't
really hurt anything.

Thoughts?

If there's no objections soon I will go ahead and process those
requests.

kevin