Re: aging inactive users

[Sam James <sam@gentoo.org>]

Mark Wielaard via Overseers <overseers@sourceware.org> writes:

> Hi Frank,
>
> On Fri, Apr 05, 2024 at 09:13:07PM -0400, Frank Ch. Eigler via Overseers wrote:
>> Sourceware does not have a mechanical process for aging out hosted
>> project contributors who have not logged on for a long time.  Given
>> that projects haven't undertaken this sort of janitorial task, it's
>> probably time that we put one in place.
>> 
>> A brief shell script scanning ssh authentication logs in
>> /var/log/secure* spanning a year indicates that only about 1/4 of our
>> accumulated user base has been active during that time.
>> (/sourceware/infra/bin/list-ssh-login)
>> 
>> After gathering feedback here, I plan to send a batch of email to
>> those found not to be active (via their USER@sourceware.org email
>> addresses).  Then a few weeks later, if they still haven't become
>> active, I plan to set them to "gid=emeritus" status, so those accounts
>> can no longer log in.  (This status is easy to reverse if anyone there
>> is ready to return.)
>
> I assume that this means the email forward will keep working and that
> an id will never be reused?
>
>> For administrative/shared accounts, one needs do this analysis on a
>> per-key basis.  It probably needs to be more recent, considering the
>> greater privileges of these accounts, say 6 months.  There, a more
>> manual process to compare ssh-keygen -l lists against the actually
>> used ssh fingerprints could be used.  That way, we can age out only
>> those users & keys that have not been used, but preserve others.  I'll
>> work out another little script for that postprocessing and get it to
>> note findings via email too.
>> 
>> I propose to repeat this exercise every few months.
>
> So "normal" accounts would expire after one year of inactivity.
> "admin" accounts would expire after 6 months of inactivity.
>
> Users will get an email that is about to happen, giving them an
> oppertunity to activate their account (in say 2 weeks?). Would a
> simple "alive" be enough or do we require an actual push of a commit?
>
> I would propose to then run this process every quarter (3 months).

Our policy is
https://wiki.gentoo.org/wiki/Project:Retirement/For_developers, if that
helps.

The overview is:
"Inactivity retirement. Happens after roughly 12-16 months of inactivity
and four warning mails. The exact timeline and process depends on the
developer's prior activity and current situation."

Then the policy on e.g. email fwd etc is on the link above. I think the
timeline may not be suitable for sourceware but hopefully seeing some
precedent overall may help.

>
> Thanks,
>
> Mark

thanks,
sam