[FFmpeg-devel] [RFC] dormant git accounts

Michael Niedermayer michael at niedermayer.cc
Wed Nov 13 20:15:09 EET 2024 

Hi Traneptora

On Wed, Nov 13, 2024 at 12:29:22PM -0500, Leo Izen wrote:
> On 11/9/24 11:18 AM, Michael Niedermayer wrote:
> > Hi all
> > 
> > Should we disable git accounts for developers who have not been active since
> > a long time (like 10 years) ?
> > 
> > (if these developers come back, the account would then be enabled again)
> > but disabling such accounts may improve security (lots of "if" here but
> > assuming they loose their key, assuming whoever gets hold of the key
> > has interrest and ability to attack ffmpeg and and and, the risk here
> > is likely low but not 0)
> > 
> > thx
> 
> Yes, clearly, but an issue has come up that apparently we don't know who has
> access to our infrastructure. How do we not know this?
> 
> When michael gave me push access, he asked for my SSH public key, presumably
> to add to an authorized_keys file somewhere. I presume since he has write
> access to this file, he can also read it.

We use gitolite
gitolite uses git itself to trak all changes to who has what access to what
repository

There is a authorized_keys file but that is build by hooks from gitolite
out of the gitolite config and keys.

previously gitosis was used but its basically the same

so there are no unlabeled keys, its all there just not in an machiene parsable list
for example your key addition looks like this:

commit 149f636328a060c814a429af7e4df40ad20e0e4d (origin/master, origin/HEAD, last-master)
Author: Michael Niedermayer <michael at niedermayer.cc>
Date:   Tue Jan 24 18:01:21 2023 +0100

    Add Leo Izen <leo.izen at gmail.com> to FFmpeg

    Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

 gitosis.conf       | 2 +-
 keydir/leoizen.pub | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Democracy is the form of government in which you can choose your dictator
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20241113/59068b65/attachment.sig>

More information about the ffmpeg-devel mailing list