On Sun, Feb 9, 2025 at 8:00 AM Slawomir Jaranowski <s.jaranow...@gmail.com> wrote:
> We have a simple statistic > https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven-dist-tool/job/master/site/dist-tool-committers-stats.html > > To remove somebody we need a procedure for it. Great. I'm glad we already have the information we need. I see 72 committers and maybe 20% of those have been active in the last few years. I'm not sure what the technical procedure for removing committer privileges is. I don't have admin access on the github or svn repos. However as policy I propose: 1. Once a year, shortly after January 1, an admin manually removes committership from anyone who hasn't committed in the previous 4 years. For instance, right now we would revoke commitership from anyone whose last commit was in 2020 or earlier. The size of the task doesn't feel worth automating. 2. If a former committer notices they no longer have permissions and wants them back to do some work, they just have to ask here on dev@ and they will be regranted. They don't have to prove themselves worthy of committer privileges again. They've already done that. 3. Other privileges like issue filing and PMC voting remain in effect as these aren't especially risky. There might be other permissions like the ability to push to the website or control the mailing lists we should also lock down. I don't know exactly how that works, but if anyone does please speak up. To be clear, we're not banning anyone. We're simply being cautious about active permissions given the risk of compromised old accounts. With 72 committers some of whom haven't been heard from in over ten years, it's likely some of these accounts are effectively defunct. It's even possible some developers are deceased. -- Elliotte Rusty Harold elh...@ibiblio.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
