[FFmpeg-devel] [RFC] dormant git accounts

Sun Nov 17 18:51:13 EET 2024

On Wed, Nov 13, 2024 at 12:58:40PM +0100, Michael Niedermayer wrote:
> Hi
> 
> On Sun, Nov 10, 2024 at 07:44:11PM +0100, Michael Niedermayer wrote:
> > Hi all
> > 
> > On Sat, Nov 09, 2024 at 05:18:08PM +0100, Michael Niedermayer wrote:
> > > Hi all
> > > 
> > > Should we disable git accounts for developers who have not been active since
> > > a long time (like 10 years) ?
> > > 
> > > (if these developers come back, the account would then be enabled again)
> > > but disabling such accounts may improve security (lots of "if" here but
> > > assuming they loose their key, assuming whoever gets hold of the key
> > > has interrest and ability to attack ffmpeg and and and, the risk here
> > > is likely low but not 0)
> > 
> > I count currently 127 people with git write access
> > above suggestion would disable around 33 accounts.
> > 
> > I cannot show the list because of GDPR
> > but the remaining 127-33 accounts are on this list:
> > git log  --since 10.years --first-parent --pretty=fuller | grep '^Commit:' | sort | uniq
> > 
> > Note that above command will not produce a clean list. It requires manual
> > cleanup, "Commit:" is just a text field and not everything thats in that field
> > has or had a write account. But I cannot post peoples names or email addressed
> > 
> > If i hear noone objecting to this (and there are already multiple people
> > in favor) then i will disable the 33 accounts in a few days
> 
> I have rechecked this situation and IIUC the GDPR has some exceptions
> for cases where its in teh public interrest. I think listing who has
> git write of a public project like FFmpeg is in the public interrest
> and that transparency weighs heavier
> 
> So heres the list of people who will have git write access after dormant
> accounts are disabled. All the ones here where active in the last 10 years
> as a committer in FFmpeg. Noone is added, everyone from this list had access
> before
> 
> mstorsjo ajacobs akhirnov cehoyos ngeorge thardin rdoeffinger rsbultje mniedermayer pross rpinochet ssabatini bcoudurier ahannula rpolla compn benoit philipl gbeauchesne ubitux beastd durandal daemon404 pasteeater wm4 jamrial lukaszm jzern andreasc timo rostislav nevcairiel claudio gramner cus thilo pedro arttu vesselin timothygu mattoliver rcombs mateo gajjanag kierank jamesdarnley tvolkert mfaiz rkern kswanson jkqxz josh pburt jansebechlebsky aconverse stevenliu mjbshaw bangnoise vittorio tobiasrapp agupta foo86 jeeb martinv jorge kjeyapal junzhao gyan pavel lizhong laurikasanen songruiling yejunguo hwren jluthra agelman arheinhardt lmwang linjiefu zanevi shutchinson haihao haasn zhilizhao leoizen pal courmisch lynne dmitrii nuomi bsmith feiwan ePirat marth64
> 
> (some people above have 2 keys, these duplciates where removed)
> 
> I intend to wait a few more days before updating the list so people
> can review this. Mistakes are not impossible as i had to match these
> to teh emails from git by hand

change applied.
Noone active as a commiter in FFmpeg in the last 10 years should have lost access.
If someone did loose access, please immedeatly contact me, ill fix it

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

If the United States is serious about tackling the national security threats 
related to an insecure 5G network, it needs to rethink the extent to which it
values corporate profits and government espionage over security.-Bruce Schneier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20241117/a9117176/attachment.sig>