| |
@@ -0,0 +1,63 @@
|
| |
+ = Inactive packagers policy
|
| |
+ :experimental:
|
| |
+ :toc:
|
| |
+
|
| |
+ [[purpose]]
|
| |
+ == Purpose
|
| |
+
|
| |
+ Users in the `packager` group can push code into official Fedora repositories. If one of these users
|
| |
+ loses ownership of the email address associated to the Fedora account, it could lead to a potential
|
| |
+ security breach.
|
| |
+
|
| |
+ [[coverage]]
|
| |
+ == Policy
|
| |
+
|
| |
+ A simple periodic check of every user in the `packager` group is performed.
|
| |
+ One week before beta freeze a script will download the list of packagers and check for any activity
|
| |
+ in the last 12 months period in the following places:
|
| |
+
|
| |
+ * `src.fedoraproject.org`.
|
| |
+ This will check user's packaging activity.
|
| |
+
|
| |
+ * `pagure.io`.
|
| |
+ For example, to check if the user replies to FESCo tickets.
|
| |
+
|
| |
+ * `bodhi.fedoraproject.org`.
|
| |
+ Checks for updates submission or comments to package updates.
|
| |
+
|
| |
+ * Fedora mailing lists.
|
| |
+ Checks for any message from one of user's known emails inside Fedora mailing lists.
|
| |
+
|
| |
+ * `bugzilla.redhat.com`.
|
| |
+ Checks for user activity in the Red Hat / Fedora bugtracker.
|
| |
+
|
| |
+ For those users without any activity in the above systems an `Inactive packager` ticket will be opened.
|
| |
+ We will try to reach the user, check if they still need/want their account to be in the `packager` group
|
| |
+ and check if the email used in Fedora account is still valid and overseen by them.
|
| |
+
|
| |
+ One week after final release, the script will provide a list of those users that were detected as
|
| |
+ inactive at the first run and haven't replied to our attempt to reach them. We can consider these users
|
| |
+ inactive and unreachable and proceed to:
|
| |
+
|
| |
+ * Remove their account from the `packager` group.
|
| |
+
|
| |
+ * Remove the user from any package where they're the main admin, co-maintainer, or collaborator.
|
| |
+
|
| |
+ * Orphan packages for which the user was the main admin.
|
| |
+
|
| |
+ The user account will however remain active and if they return to Fedora after some time can regain
|
| |
+ their 'packager' status in a quicker way (see below).
|
| |
+
|
| |
+ In a future version of this policy, users with 2FA enabled may become exempt from the periodic check.
|
| |
+ Packagers are therefore encouraged to enable 2FA to secure their account.
|
| |
+
|
| |
+ [[returning]]
|
| |
+ == Returning users
|
| |
+
|
| |
+ A user that was removed from the `packager` group may return to Fedora after some time and want to regain
|
| |
+ their packager status.
|
| |
+
|
| |
+ Such users are not required to repeat the steps for being sponsored in the `packager` group. Provided that
|
| |
+ they can prove their identity through other methods than the email used in their account, they can open a
|
| |
+ ticket in the link:https://pagure.io/packager-sponsors/new_issue/[packager-sponsors] tracker asking for
|
| |
+ their identity to be confirmed and their status to be restored.
|
| |
See FESCo proposal #2759