On Sun, Feb 21, 2021 at 1:20 PM Bruno Haible <br...@clisp.org> wrote: > > On another GNU mailing list, someone is writing: > > Since I no longer work on <PACKAGE> I give > you permission to remove my git server access (the key). If I ever > change my mind about this, we can work out a new solution. > > Can you please check if I have any other privileged accounts or rights > left in the infrastructure? Even though we have not used password > based logins, I don't want to be a security liability with possible > effects for myself and for you. > > I tend to agree that everyone who has write access to the repository > poses a certain (small) security risk; the SSH private key might be > compromised. Therefore it sounds like a reasonable security measure > to revoke the write access for users who have been inactive for a > certain time, say 4 years. > > Would you agree with that? > > The following people still have write access to the gnulib repository > and have not done any commits in 4 years: > > Andreas Grünbacher > Bruce Korb > Ludovic Courtès > Derek R. Price > Eli Zaretskii > Gary V. Vaughan > Gerd Moellmann > Sergey Poznyakoff > Joel E. Denny > Kamil Dudka > Stefan Monnier > Richard M. Stallman > Ralf Wildenhues > Stefano Lattarini > > I would like to emphasize that removal of write access would *not* be > a disapproval of past work, nor related to lack of friendship. Just a > security measure. > > What do you think?
>From a governance standpoint, I think four years is too long. Active developers should have write access, others should not. I would consider dropping the threshold to 90 days or 1 year. Jeff
