From: Mark Wielaard <mark@klomp.org>
To: "Frank Ch. Eigler via Overseers" <overseers@sourceware.org>
Cc: "Frank Ch. Eigler" <fche@elastic.org>
Subject: Re: aging inactive users
Date: Mon, 8 Apr 2024 00:29:53 +0200 [thread overview]
Message-ID: <20240407222953.GT1292@gnu.wildebeest.org> (raw)
In-Reply-To: <ZhCho2hjRACDztxy@elastic.org>
Hi Frank,
On Fri, Apr 05, 2024 at 09:13:07PM -0400, Frank Ch. Eigler via Overseers wrote:
> Sourceware does not have a mechanical process for aging out hosted
> project contributors who have not logged on for a long time. Given
> that projects haven't undertaken this sort of janitorial task, it's
> probably time that we put one in place.
>
> A brief shell script scanning ssh authentication logs in
> /var/log/secure* spanning a year indicates that only about 1/4 of our
> accumulated user base has been active during that time.
> (/sourceware/infra/bin/list-ssh-login)
>
> After gathering feedback here, I plan to send a batch of email to
> those found not to be active (via their USER@sourceware.org email
> addresses). Then a few weeks later, if they still haven't become
> active, I plan to set them to "gid=emeritus" status, so those accounts
> can no longer log in. (This status is easy to reverse if anyone there
> is ready to return.)
I assume that this means the email forward will keep working and that
an id will never be reused?
> For administrative/shared accounts, one needs do this analysis on a
> per-key basis. It probably needs to be more recent, considering the
> greater privileges of these accounts, say 6 months. There, a more
> manual process to compare ssh-keygen -l lists against the actually
> used ssh fingerprints could be used. That way, we can age out only
> those users & keys that have not been used, but preserve others. I'll
> work out another little script for that postprocessing and get it to
> note findings via email too.
>
> I propose to repeat this exercise every few months.
So "normal" accounts would expire after one year of inactivity.
"admin" accounts would expire after 6 months of inactivity.
Users will get an email that is about to happen, giving them an
oppertunity to activate their account (in say 2 weeks?). Would a
simple "alive" be enough or do we require an actual push of a commit?
I would propose to then run this process every quarter (3 months).
Thanks,
Mark
next prev parent reply other threads:[~2024-04-07 22:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-06 1:13 Frank Ch. Eigler
2024-04-06 2:13 ` Andrew Pinski
2024-04-07 22:29 ` Mark Wielaard [this message]
2024-04-08 4:32 ` Sam James
2024-04-08 16:20 ` Frank Ch. Eigler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240407222953.GT1292@gnu.wildebeest.org \
--to=mark@klomp.org \
--cc=fche@elastic.org \
--cc=overseers@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).