On 12/03/2015 09:50, Jacques Le Roux wrote: > Hi Infra Team and All, > > I have a question I wonder for some time and recently discussed in our > OFBiz PMC ML. > > Committers come and go. When a PMC member resign, because s/he clearly > wants to stop helping on the project and want to be completely > disconnect from it, her/his committer account remains active. I wonder > if this is not an useless security hole. Same for no longer active > committers. The difference with an active committer is s/he will never > know since s/he is possibly no longer monitoring things. > > A credential can be abused by an external person, that can be the > beginning of much troubles we can not all imagine (hackers do)... With > security holes you never know, until it bites you, so I really wonder > why a committer account can not be terminated?
A committer account on its own can do very little in the way of harm. It can (if you know which hoops to jump through) get shell access to people.a.o and it can send e-mail from an @apache.org e-mail address. people.a.o is locked down (and infra has additional monitoring in place) so the risk here is sufficiently small infra is happy with it. It terms of sending e-mail via an @apache.org e-mail address, if it is abusive (i.e. spammy) then we do rely on folks reporting it to us. The PMC is responsible for granting (and revoking) commit access. There is nothing (of a technical nature - you'll have to answer to the board and your community for the social aspects) stopping you removing inactive committers from the appropriate LDAP group(s). I'd add that the PMC is responsible for reviewing all the commits made to the PMC's repositories. You are expected to spot if a long inactive committer suddenly starts making changes or an account you don't recognise makes changes. Likewise, active committers are expected to spot changes in their name they did not make. More generally, if infra has a security concern we shut stuff down and/or lock accounts first and ask questions later. Any security concerns should be reported immediately to r...@apache.org Finally, infra periodically enforces password resets for all committers. This has the helpful side-effect of effectively locking unused committer accounts. Mark