Inactive packagers policy

Table des matières

Purpose

Users in the packager group can push code into official Fedora repositories. If one of these users loses ownership of the email address associated to the Fedora account, it could lead to a potential security breach.

Policy

A simple periodic check of every user in the packager group is performed. One week before beta freeze a script will download the list of packagers and check for any activity in the last 12 months period in the following places:

  • src.fedoraproject.org. This will check user’s packaging activity.

  • pagure.io. For example, to check if the user replies to FESCo tickets.

  • bodhi.fedoraproject.org. Checks for updates submission or comments to package updates.

  • Fedora mailing lists. Checks for any message from one of user’s known emails inside Fedora mailing lists.

  • bugzilla.redhat.com. Checks for user activity in the Red Hat / Fedora bugtracker.

For those users without any activity in the above systems an Inactive packager ticket will be opened. We will try to reach the user, check if they still need/want their account to be in the packager group and check if the email used in Fedora account is still valid and overseen by them.

One week after final release, the script will provide a list of those users that were detected as inactive at the first run and haven’t replied to our attempt to reach them. We can consider these users inactive and unreachable and proceed to:

  • Remove their account from the packager group.

  • Remove the user from any package where they’re the main admin, co-maintainer, or collaborator.

  • Orphan packages for which the user was the main admin.

The user account will however remain active and if they return to Fedora after some time can regain their 'packager' status in a quicker way (see below).

In a future version of this policy, users with 2FA enabled may become exempt from the periodic check. Packagers are therefore encouraged to enable 2FA to secure their account.

Returning users

A user that was removed from the packager group may return to Fedora after some time and want to regain their packager status.

Such users are not required to repeat the steps for being sponsored in the packager group. Provided that they can prove their identity through other methods than the email used in their account, they can open a ticket in the packager-sponsors tracker asking for their identity to be confirmed and their status to be restored.