Stale Docs Memberships
Pete Travis
me at petetravis.com
Fri Jul 11 21:09:19 UTC 2014
On Fri, Jul 11, 2014 at 2:19 PM, Ben Cotton <bcotton at fedoraproject.org>
wrote:
> On Thu, Jul 10, 2014 at 5:03 PM, Cristian Ciupitu
> <cristian.ciupitu at yahoo.com> wrote:
>
> > Aren't all actions reversible? Don't we have version control in git
> > repositories and also on the wiki? I'm thinking that in the worse case
> > scenario, the invalid content will exist only for a short period of
> > time.
>
> Sure, but that doesn't mean we shouldn't protect ourselves against it.
> Invalid information isn't as much of a concern, as that generally can
> be rolled back easily. But what about the case of malicious activity?
> Let's say Sparks snaps one day and posts libelous or threatening
> content. Sure that, too, can be reverted but the entire time it's up
> it reflects poorly on us and could potentially create legal issues.
>
> I'll grant that such a scenario is pretty unlikely (not the Sparks
> snapping part, but the part where he posts malicious content), but
> revoking unneeded access is still a good practice. If someone gets
> their git privileges revoked and they actually notice, it's not hard
> to give them privileges back. Heck, a stale member policy might
> motivate people to ensure they make a contribution sufficient to keep
> their bit set.
>
> One thing we haven't touched on is revoking membership in the Docs
> group. I explicitly left it out of my earlier post because it doesn't
> really grant any docs-related privilege. However, for some people it's
> the difference between being able to vote in elections and not. Is it
> appropriate for someone who has made no direct contribution in 5 years
> to continue to be able to vote? That's a decision for the Board and
> the community at-large, but it's another potential impact of the
> implementation details of a stale member policy.
>
>
> BC
>
> --
> Ben Cotton
>
You know, when you put it that way, I think maybe we *should* be pulling
Docs memberships. It would be a board level decision to require cla+1 or
cla+2 or cla+1+logged-in-within-N-months for elections or mail aliases or
whatever but I think the composition of individual groups is up to the
policies of that particular group. There's precedent for in *gaining*
membership, and for removing it[3]. At the group level, the question is
"Does this person participate in our group" - and as you point out, the
question of keeping peripheral benefits or privileges is one for the
individual.
For me, it's not as much about security as representing the group
accurately. I just typed out and reconsidered about six tedious examples
of why that's a good thing, and decided I'd rather hear the other side if
need be, arguments why keeping accounts around as members of a group that
they've clearly left behind is better for that group.
Security is still a valid concern on principle; the extent to which we
trust the individuals in question isn't really relevant. No need for commit
access == no access.
[3]
https://fedoraproject.org/wiki/Ambassadors/MembershipService#Removal_Process_for_Ambassador.27s_Membership
--Pete
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/docs/attachments/20140711/554d09a5/attachment.html>
More information about the docs
mailing list