Hello, We'd like to document (and to some extent establish) our practices of restoring lost accounts; I attach a draft.
What do people think?
Recovering lost accounts ======================== This page documents our procedure of recovering lost accounts. Savannah admins are expected to follow it, Savannah users may use it as guidelines for recovering their accounts and to better understand the threats related to their Savannah accounts. Unconfirmed accounts -------------------- Sometimes you don't receive the confirmation email Savannah sends you when registering an account, so you can't confirm it. Unconfirmed accounts are removed after 2 or 3 days, the account name is freed, and you can try again. If the issue persists, you may [contact Savannah admins](https://savannah.gnu.org/contact.php). Since the account isn't used yet, they can just activate your account manually: in the superuser mode, find that user in the [siteadmin user list](https://savannah/siteadmin/userlist.php), it has links that activate accounts. Idle accounts ------------- As an anti-spam measure, the accounts that haven't been used for more than two weeks after their creation are also automatically removed. In order to avoid it, it's sufficient to submit an item or comment on any tracker (of course, if your first comments are spam, your account is going to be deleted---manually), or to actually join a group (mere requests for inclusion don't count). Lost password ------------- If you don't remember your password, you (and anyone else) can [request password reset](https://savannah.gnu.org/account/lostpw.php). Savannah will send you an URL that can be visited to set a new password for your Savannah account. In case you don't receive that message, you'll be able to try it again a few hours later. If you are concerned with other people initiating and intercepting these messages, you can register an encryption-capable GPG key AND enable encryption of reset messages in your account settings. Note that Savannah still sends reset messages unencrypted if it can't encrypt with your GPG key, for example, if the key has no subkey for encryption or our GnuPG version doesn't support your key algorithm. (_On the other hand, if you lose your GPG key in these settings, you won't be able to reset the password for your account._) The messages are sent to the email address you registered. Often people lose both their passwords and control of the email addresses they were registered with. In this case, we'll use your registered SSH key *(FIXME: how?)*, or you can confirm your identity using your registered GPG key---if you ever registered any SSH or GPG keys in your account. (_Likewise, if you lose *all* keys you registered in your account, restoring your account will be *harder*._) Heavily used accounts --------------------- The more activity the account has, the stronger confirmation from the user is needed to re-gain it. And vice versa, if the account was only used for a few comments in the tracker and has never joined any teams, the admins may give it after * checking the time of the last login from that account (https://savannah.gnu.org/siteadmin/lastlogins.php, or on mgt0, use MySQL query like SELECT from_unixtime(session.time) FROM session,user WHERE session.user_id=user.user_id AND user.user_name="rms" * *anything else?* TODO ---- Add more ways the users can confirm their identity, document possible exceptions (e.g. requests from FSF's admins...), redirect LostPassword.mdwn to this page; create a page where the incidents are logged.
signature.asc
Description: PGP signature
