Thanks Mark,
It's quite clear
Jacques
Le 12/03/2015 11:59, Mark Thomas a écrit :
On 12/03/2015 09:50, Jacques Le Roux wrote:
Hi Infra Team and All,
I have a question I wonder for some time and recently discussed in our
OFBiz PMC ML.
Committers come and go. When a PMC member resign, because s/he clearly
wants to stop helping on the project and want to be completely
disconnect from it, her/his committer account remains active. I wonder
if this is not an useless security hole. Same for no longer active
committers. The difference with an active committer is s/he will never
know since s/he is possibly no longer monitoring things.
A credential can be abused by an external person, that can be the
beginning of much troubles we can not all imagine (hackers do)... With
security holes you never know, until it bites you, so I really wonder
why a committer account can not be terminated?
A committer account on its own can do very little in the way of harm.
It can (if you know which hoops to jump through) get shell access to
people.a.o and it can send e-mail from an @apache.org e-mail address.
people.a.o is locked down (and infra has additional monitoring in place)
so the risk here is sufficiently small infra is happy with it.
It terms of sending e-mail via an @apache.org e-mail address, if it is
abusive (i.e. spammy) then we do rely on folks reporting it to us.
The PMC is responsible for granting (and revoking) commit access. There
is nothing (of a technical nature - you'll have to answer to the board
and your community for the social aspects) stopping you removing
inactive committers from the appropriate LDAP group(s).
I'd add that the PMC is responsible for reviewing all the commits made
to the PMC's repositories. You are expected to spot if a long inactive
committer suddenly starts making changes or an account you don't
recognise makes changes. Likewise, active committers are expected to
spot changes in their name they did not make.
More generally, if infra has a security concern we shut stuff down
and/or lock accounts first and ask questions later. Any security
concerns should be reported immediately to r...@apache.org
Finally, infra periodically enforces password resets for all committers.
This has the helpful side-effect of effectively locking unused committer
accounts.
Mark
