(sent to freedesktop@ and sitewranglers@, please keep the discussion on freedesktop@) Hi all, currently we have a bit more than 700 user accounts on freedesktop.org. I suspect some of those are no longer active, but we currently have no way of detecting this. Some other large projects like Debian and Fedora try to detect activity through SSH logins, mailing list activity, etc. Ubuntu requires explicit group renewal for at least some of the groups, if not all. The nice thing about using heuristics is it is less work for the people who use the service. The downside is it is more work to set up and maintain and it will have both false positives and negatives. Explicit confirmation has false positives for mail that gets lost because of wrong forwarding or too tight spam filters, but should not have false negatives. It is also lightweight on the admin resources. My suggestion is therefore to require people to reconfirm their freedesktop.org account once a year. A simple way of doing this would be to send out a mail with a token to each person and requiring a signed reply saying ?Please keep my account? with the same token. This would also ensure we have relativetly up-to-date email forwarding set up for all users and that people at least have access to their GPG key. Feedback welcome, of course. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are
great idea On Sun, May 30, 2010 at 11:01 AM, Tollef Fog Heen <tfheen at err.no> wrote:> > (sent to freedesktop@ and sitewranglers@, please keep the discussion on > freedesktop@) > > Hi all, > > currently we have a bit more than 700 user accounts on > freedesktop.org. I suspect some of those are no longer active, but we > currently have no way of detecting this. ?Some other large projects like > Debian and Fedora try to detect activity through SSH logins, mailing > list activity, etc. ?Ubuntu requires explicit group renewal for at least > some of the groups, if not all. > > The nice thing about using heuristics is it is less work for the people > who use the service. ?The downside is it is more work to set up and > maintain and it will have both false positives and negatives. ?Explicit > confirmation has false positives for mail that gets lost because of > wrong forwarding or too tight spam filters, but should not have false > negatives. ?It is also lightweight on the admin resources. > > My suggestion is therefore to require people to reconfirm their > freedesktop.org account once a year. ?A simple way of doing this would > be to send out a mail with a token to each person and requiring a signed > reply saying ?Please keep my account? with the same token. ?This would > also ensure we have relativetly up-to-date email forwarding set up for > all users and that people at least have access to their GPG key. > > Feedback welcome, of course. > -- > Tollef Fog Heen > UNIX is user friendly, it's just picky about who its friends are > > _______________________________________________ > freedesktop mailing list > freedesktop at lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/freedesktop >-- Jon Phillips http://rejon.org/ http://fabricatorz.com/ http://status.net/ http://rejon.status.net + skype: kidproto +1.415.830.3884 (sf/global) +86.134.3957.2035 (china)
On Sun, 30 May 2010 11:01:03 +0200, Tollef Fog Heen <tfheen at err.no> wrote:> > (sent to freedesktop@ and sitewranglers@, please keep the discussion on > freedesktop@) > > Hi all, > > currently we have a bit more than 700 user accounts on > freedesktop.org. I suspect some of those are no longer active, but we > currently have no way of detecting this. Some other large projects like > Debian and Fedora try to detect activity through SSH logins, mailing > list activity, etc. Ubuntu requires explicit group renewal for at least > some of the groups, if not all. > > The nice thing about using heuristics is it is less work for the people > who use the service. The downside is it is more work to set up and > maintain and it will have both false positives and negatives. Explicit > confirmation has false positives for mail that gets lost because of > wrong forwarding or too tight spam filters, but should not have false > negatives. It is also lightweight on the admin resources. > > My suggestion is therefore to require people to reconfirm their > freedesktop.org account once a year. A simple way of doing this would > be to send out a mail with a token to each person and requiring a signed > reply saying ?Please keep my account? with the same token. This would > also ensure we have relativetly up-to-date email forwarding set up for > all users and that people at least have access to their GPG key. > > Feedback welcome, of course.I think you're going to end up with a ton more requests to change GPG keys, and probably some bad expiry due to people putting off setting up mail signing. I'd prefer we didn't do this unless the person hasn't ssh accessed fd.o for a while. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <http://lists.freedesktop.org/archives/freedesktop/attachments/20100601/cd00e776/attachment.pgp>
]] Eric Anholt Hi, | I think you're going to end up with a ton more requests to change GPG | keys, and probably some bad expiry due to people putting off setting | up mail signing. I'd prefer we didn't do this unless the person | hasn't ssh accessed fd.o for a while. A compromise is to not require signed replies, that'll still ensure we at least have up-to-date contact addresses for everybody. And yes, I realise I'll get a bunch of requests for key updates, but as I'm most likely to be the person handling the requests, that only has a backlash on myself, it's not like I'm asking anybody else to do tons of work here. Regards, -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are