Just being paranoid here: do we have any policy / automatism for disabling "power" users (in packager group or like) which have been inactive for long time?
I'm no security expert, but an inactive user account may be hacked without noticing and if such account have powers like being in the packager group may inject bad things in the distribution. I also imagine the case where a user no more use their email address and that become available to someone else. The new user may easily reset the password and gain access to the old Fedora account (provided that the old user didn't use 2fa). Does it make sense to start thinking to prune inactive packagers without waiting someone to start the "unresponsive maintainer policy"? Maybe a script could check user activities in src.fedoraproject.org and send a warning email if no activity is made in one year? Mattia _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
