On 11/9/24 11:18 AM, Michael Niedermayer wrote:
Hi all
Should we disable git accounts for developers who have not been active since
a long time (like 10 years) ?
(if these developers come back, the account would then be enabled again)
but disabling such accounts may improve security (lots of "if" here but
assuming they loose their key, assuming whoever gets hold of the key
has interrest and ability to attack ffmpeg and and and, the risk here
is likely low but not 0)
thx
Yes, clearly, but an issue has come up that apparently we don't know who
has access to our infrastructure. How do we not know this?
When michael gave me push access, he asked for my SSH public key,
presumably to add to an authorized_keys file somewhere. I presume since
he has write access to this file, he can also read it.
I'd imagine that some of these keys are not labeled who they belong to,
which is why we don't know. If the keys were all labeled we'd know who
they all belong to.
But regardless, I don't think anybody is opposed to having michael go
through and check which keys haven't been used in 10 years and removing
them from that authorized_keys file.
I'd even say that we may go as far and remove *every* key that is
unlabeled unless we can clearly establish who it belongs to and label it
as such. We need to know who these keys belong to so we can contact
those people if necessary or know who they are at all.
- Leo Izen (Traneptora)
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
