On 11/9/24 11:18 AM, Michael Niedermayer wrote:
Hi all

Should we disable git accounts for developers who have not been active since
a long time (like 10 years) ?

(if these developers come back, the account would then be enabled again)
but disabling such accounts may improve security (lots of "if" here but
assuming they loose their key, assuming whoever gets hold of the key
has interrest and ability to attack ffmpeg and and and, the risk here
is likely low but not 0)

thx

Yes, clearly, but an issue has come up that apparently we don't know who has access to our infrastructure. How do we not know this?

When michael gave me push access, he asked for my SSH public key, presumably to add to an authorized_keys file somewhere. I presume since he has write access to this file, he can also read it.

I'd imagine that some of these keys are not labeled who they belong to, which is why we don't know. If the keys were all labeled we'd know who they all belong to.

But regardless, I don't think anybody is opposed to having michael go through and check which keys haven't been used in 10 years and removing them from that authorized_keys file.

I'd even say that we may go as far and remove *every* key that is unlabeled unless we can clearly establish who it belongs to and label it as such. We need to know who these keys belong to so we can contact those people if necessary or know who they are at all.

- Leo Izen (Traneptora)

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to