Hi,
I started this topic in 2021, in [1]: a proposal to remove write
permissions from accounts who haven't pushed in a long while.
There was agreement [2] that contributors who had not directly pushed
a commit in a year could be revoked the write permission.
The discussion ended with the question who of the gnulib savannah
admins wanted to do it.
What has changed since then:
* The log4j incident in December 2021 and a couple of similar
incidents in the npm world have brought to everyone's attention
that software supply chain is critical.
As a reaction, the Linux Foundation has created a sub-foundation [3],
GitHub will make 2FA mandatory by the end of 2023 [4], and similar
moves are underway in the Ruby and Python communities [5].
In GNU, Gnulib is probably, together with the Autotools, one of the
most critical elements of the software supply chain. If a trojan/malware
commit gets into Gnulib, we would have big trouble.
Also:
* Since July 2021, I am co-maintainer of Gnulib, and one of the gnulib
savannah admins.
Therefore I would now like to actually do it.
Dmitry's recipe [6] gives the following result:
$ git log --pretty=fuller --since='1 year' | git shortlog -c -s
1 Akim Demaille
1 Ben Pfaff
4 Bernhard Voelker
262 Bruno Haible
5 Jim Meyering
31 Karl Berry
2 Marc Nieper-Wißkirchen
214 Paul Eggert
5 Pádraig Brady
1 Reuben Thomas
17 Simon Josefsson
Also, I wouldn't want to remove Eric Blake, since he's an admin too.
So, the list of people (to notify per mail and to remove from the
membership list on savannah) are the following:
Assaf Gordon
Andreas Gruenbacher
Bruce Korb
Ludovic Courtès
Derek Robert Price
Eli Zaretskii
Gary V. Vaughan
Gerd Moellmann
Dmitry Selyutin
Sergey Poznyakoff
James Youngman
Joel E. Denny
Kamil Dudka
Dmitry V. Levin
Stefan Monnier
Richard M. Stallman
Ralf Wildenhues
Siddhesh Poyarekar
Stefano Lattarini
Daiki Ueno
Jeff Bailey
OK to proceed?
Bruno
[1] https://lists.gnu.org/archive/html/bug-gnulib/2021-02/msg00070.html
[2] https://lists.gnu.org/archive/html/bug-gnulib/2021-02/msg00085.html
[3]
https://www.linuxfoundation.org/blog/linux-foundation-defending-the-global-software-supply-chain-from-cyberattacks-in-2021/
[4]
https://www.theverge.com/2022/5/4/23056799/github-contributors-2fa-two-factor-authentication-2023
[5]
https://portswigger.net/daily-swig/pypi-repo-to-distribute-4-000-security-keys-to-maintainers-of-critical-projects-in-2fa-drive
[6] https://lists.gnu.org/archive/html/bug-gnulib/2021-02/msg00087.html
