I wanne request a chance in a cornercase of package removal:

Current state:

packages like "sphinx" "gitolite" and others do not remove user accounts on removal of the package, which created them.

The idea behind this may be, that once created user accounts should have the same UID, when the user decides to reinstall the package in question in the future. A valid approach for maintained packages.

Q: But is that helpful, if the package in question does not have a future aka it's the last package, that will refer to that user?
A: No. In this case, it's a security risk:

It still "allows" a login . Example F29 package gitolite left the user "gitolite" on the server, but with "/bin/sh" as a shell, so a login is possible. Not directly as a password is disabled, but considering security bugs in the past, this is a security nightmare about to happen in the future, with no benefit for the user, as the user account serves no more purpose...ever.

Requests for the future:

a) I cases a package maintainer knows, that this package has reached end-of-maintenance, it shall remove the user account bound to that package if it gets erased.

b) a new package should keep track of old accounts matching a) and remove them as a form of house keeping (good name for the package btw.. ). Old installation should have it optional, but new installations should have it pre installed to keep thinks in sync in the future.

c) packages removed from the system, but still in maintenance, should change the default bash of a created user account from /bin/(b)ash to at least /bin/nologin to counter future security bugs, before they occur.

If a+b do not get a vote, c should be the minimal change, as it's a appropriate measure on any package removal. The reinstall process can simply revert this to a working shell, if needed.