On Sun, Jan 15, 2012 at 4:49 AM, Andrea Pescetti <pesce...@apache.org> wrote: > Rob Weir wrote: >> >> Did you read anyone say that current privileges are going to be >> dropped? I certainly did not say that. > > > No, but that was a doubt I had: in the process of granting new privileges, > it might be that someone notices that a lot of people already have high > privileges, and that this group includes people currently unaffiliated with > the project. I was just making sure that current privileges are not dropped > now: this will still be an issue, but it can be dealt with separately. >
That is something we need to deal with, eventually. Having escalated privileges associated with people no longer involved with the project is bad for security. (Wasn't the vector of the last hack of the Apache website via a XSS attack of bug tracking admin accounts?) Remember, we can always add permissions back for someone if they did not see and respond to this note. Another option is to generate a report of all ID's with elevated privileges and have that sent to ooo-private where we can decide next steps. -Rob > Regards, > Andrea.
