From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) by sourceware.org (Postfix) with ESMTP id 4C0F83858431 for ; Mon, 8 Apr 2024 04:32:50 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 4C0F83858431 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gentoo.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gentoo.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 4C0F83858431 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:470:ea4a:1:5054:ff:fec7:86e4 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712550772; cv=none; b=ceOcbL3CWdsUqIotLAXUg9QTPrijczAqeQHtruW9tGQGEJarmo20FjmAl1yq0dldI9KQeQG50UBgisKTNFxsR+rU7EZzTBt5SCBRh1fsbJLWm+q9+7yKqToYiowO9FPekmQPYFBpbV+MTUdCtClLcWrJiPQEgmlHUa5wtCfu0gY= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712550772; c=relaxed/simple; bh=4NX5f0gVh8EvSIHcYS6Y/8OpO3r1NK1qURI1qTgtUqI=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=xIkXlsgkE5Ny/9ZNpnowlVlmxZvuJyvfwpht56wgylHM56E7LWchU+6AyNfYhxtZN9G1JnDu4b8MvpIzQGkTzpniNmJVZv1nEaSX0cfCLgHQtJe4rCgLqM2UJk/Gdo98P0zCRRYgpo1EQpbTw4AHasZgnyVMLaeF96S0KZU6YX8= ARC-Authentication-Results: i=1; server2.sourceware.org From: Sam James To: Mark Wielaard via Overseers Cc: Mark Wielaard Subject: Re: aging inactive users In-Reply-To: <20240407222953.GT1292@gnu.wildebeest.org> (Mark Wielaard via Overseers's message of "Mon, 8 Apr 2024 00:29:53 +0200") Organization: Gentoo References: <20240407222953.GT1292@gnu.wildebeest.org> User-Agent: mu4e 1.12.2; emacs 30.0.50 Date: Mon, 08 Apr 2024 05:32:44 +0100 Message-ID: <87msq41nkj.fsf@gentoo.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Mark Wielaard via Overseers writes: > Hi Frank, > > On Fri, Apr 05, 2024 at 09:13:07PM -0400, Frank Ch. Eigler via Overseers wrote: >> Sourceware does not have a mechanical process for aging out hosted >> project contributors who have not logged on for a long time. Given >> that projects haven't undertaken this sort of janitorial task, it's >> probably time that we put one in place. >> >> A brief shell script scanning ssh authentication logs in >> /var/log/secure* spanning a year indicates that only about 1/4 of our >> accumulated user base has been active during that time. >> (/sourceware/infra/bin/list-ssh-login) >> >> After gathering feedback here, I plan to send a batch of email to >> those found not to be active (via their USER@sourceware.org email >> addresses). Then a few weeks later, if they still haven't become >> active, I plan to set them to "gid=emeritus" status, so those accounts >> can no longer log in. (This status is easy to reverse if anyone there >> is ready to return.) > > I assume that this means the email forward will keep working and that > an id will never be reused? > >> For administrative/shared accounts, one needs do this analysis on a >> per-key basis. It probably needs to be more recent, considering the >> greater privileges of these accounts, say 6 months. There, a more >> manual process to compare ssh-keygen -l lists against the actually >> used ssh fingerprints could be used. That way, we can age out only >> those users & keys that have not been used, but preserve others. I'll >> work out another little script for that postprocessing and get it to >> note findings via email too. >> >> I propose to repeat this exercise every few months. > > So "normal" accounts would expire after one year of inactivity. > "admin" accounts would expire after 6 months of inactivity. > > Users will get an email that is about to happen, giving them an > oppertunity to activate their account (in say 2 weeks?). Would a > simple "alive" be enough or do we require an actual push of a commit? > > I would propose to then run this process every quarter (3 months). Our policy is https://wiki.gentoo.org/wiki/Project:Retirement/For_developers, if that helps. The overview is: "Inactivity retirement. Happens after roughly 12-16 months of inactivity and four warning mails. The exact timeline and process depends on the developer's prior activity and current situation." Then the policy on e.g. email fwd etc is on the link above. I think the timeline may not be suitable for sourceware but hopefully seeing some precedent overall may help. > > Thanks, > > Mark thanks, sam