From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) by sourceware.org (Postfix) with ESMTPS id DB90F3858D1E for ; Sat, 6 Apr 2024 02:13:28 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org DB90F3858D1E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org DB90F3858D1E Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::1036 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712369611; cv=none; b=GGSdaTr+UIiXNlUiOrHJTFAZfslcAP60yX7K2cDdXj3UkfmwtxL0T/Am8EIZl/TWHx9iAu+ngeOBLkXVT4LFx3IHtyClsULqivG+UkN0wNCHSWjq0Kwx6g7Y0eliE3d8W5ixhRx4IcNZLu8chL9iGqGoZuZ/xyKzd5qEsWz+KsY= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712369611; c=relaxed/simple; bh=KpTBa8Rr+XK6iFDeYTjZNn+UeuW5LOaH5yBSULztCAQ=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=dCqp2Vt5GhxYaPTPKDDBVFWrtwsJY1xKCTbqqYvakkgGZmUzVRlBD+wDI31C6EW8ihKnS665ZZdT9ZhjbfIoqrAmxIVbBOIQoYVgGeWBJLS4OxI0tM+G7I3uv9aYq63yLjDnyjM8Xzrs1Bm2ajbt4kuhJoJweAur7/SkqtsuglE= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pj1-x1036.google.com with SMTP id 98e67ed59e1d1-29b7164eef6so2195257a91.2 for ; Fri, 05 Apr 2024 19:13:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712369607; x=1712974407; darn=sourceware.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=2+bYEoMJlCOm5vpOq8y592oL8V6MwJK74fm9IhEWJN8=; b=hH1Ye7ZfLi+AwfYjmttthk+mw4UGEFfV8By9hY6JspJKfssO4GC84RVGTMqOF3yZiA SPZ7H1Q7Uz1kyAmJuuju3hbdaLskWjmagfK8nqPhE4KF1TpH0Ae+YRuAI5BQgyiP8UWp UwVk2oaaBWr7S/bz5SA/jiiADkeJtiEEEs+LwwbBm0/xS3/VmV4ncy2Wxhu7pKvb122p uzwBdDTfydiVDEKlSoVU3aNcB+iS2rcA3LmYA7VvLFSWspxZqhZYmHuVbZr9exWdP6af y501KLV1m7htlSoC94FL6Gvb626xcjjSjK/0q2H8+1jmw3h5qlmMUOpDYKuw9zuLEzuq 3PiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712369607; x=1712974407; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=2+bYEoMJlCOm5vpOq8y592oL8V6MwJK74fm9IhEWJN8=; b=dCiPpqAploz6esMV6gQXz+zGbq0WbqyL0imTOv7vb5ADgFBuey753+rWWKF58mQ1yv OwWfkreTzrHx5JdzPrtY7ltM7p0PsVJOLKi3LlHmKtaRZaCDEpKfNZ4myCchH85ZdfP0 OkveXNv5AZxJdzot5McZOE3IdmOlcDYPflYJMEX4oVWq2rknlW3550KpTcfsGy3ljzBc w3oQb3r+Pk8QjzHrolzuAlL5DfGDPvivTmjaxc1SgiWnrNTM9YQL8OQOqINj5QKzNMjY 2p4MkFwxFTRdcwWfiXEEI83jatbFlQLtwP+W3WQqBAfCS+0Rb5HrFim1VaPPcx4EgytZ Cl9Q== X-Gm-Message-State: AOJu0YyBhLmJtJzoHMebAs+fDB8KmWLXL5FYiksGt0fia6i83uykXzym KaKVGmY5pSEMxH0FfU4xKnUVN8SqX2JyoQvvrHuWGjVv+eIjOMkhg065TroUbkGI7yNHDF2mFHe 1I2CNDe5EA5aFdNKZPNcwatvhrMxgCAjc6sg= X-Google-Smtp-Source: AGHT+IHLgW2sDd0Qnfnb2dlyn4zbjGKv0E5WOiKDQbg+lw1+RiVZQu+xzrz4v0tomCCkxmTCQpybZRkyVwwZ/DhvalY= X-Received: by 2002:a17:90a:c58a:b0:2a4:7df8:bf5d with SMTP id l10-20020a17090ac58a00b002a47df8bf5dmr2268270pjt.17.1712369607339; Fri, 05 Apr 2024 19:13:27 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Andrew Pinski Date: Fri, 5 Apr 2024 19:13:15 -0700 Message-ID: Subject: Re: aging inactive users To: Overseers mailing list Cc: "Frank Ch. Eigler" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Fri, Apr 5, 2024 at 6:13=E2=80=AFPM Frank Ch. Eigler via Overseers wrote: > > Hi - > > Sourceware does not have a mechanical process for aging out hosted > project contributors who have not logged on for a long time. Given > that projects haven't undertaken this sort of janitorial task, it's > probably time that we put one in place. I have been meaning to ask about this since LLVM started doing the same a few months ago. https://discourse.llvm.org/t/rfc-new-criteria-for-commit-access/76290 is when they started. Thanks, Andrew Pinski > > A brief shell script scanning ssh authentication logs in > /var/log/secure* spanning a year indicates that only about 1/4 of our > accumulated user base has been active during that time. > (/sourceware/infra/bin/list-ssh-login) > > After gathering feedback here, I plan to send a batch of email to > those found not to be active (via their USER@sourceware.org email > addresses). Then a few weeks later, if they still haven't become > active, I plan to set them to "gid=3Demeritus" status, so those accounts > can no longer log in. (This status is easy to reverse if anyone there > is ready to return.) > > For administrative/shared accounts, one needs do this analysis on a > per-key basis. It probably needs to be more recent, considering the > greater privileges of these accounts, say 6 months. There, a more > manual process to compare ssh-keygen -l lists against the actually > used ssh fingerprints could be used. That way, we can age out only > those users & keys that have not been used, but preserve others. I'll > work out another little script for that postprocessing and get it to > note findings via email too. > > I propose to repeat this exercise every few months. > > Feedback & comments welcome. > > - FChE