[FFmpeg-devel] [RFC] dormant git accounts

Michael Niedermayer michael at niedermayer.cc
Wed Nov 13 13:58:40 EET 2024 

Hi

On Sun, Nov 10, 2024 at 07:44:11PM +0100, Michael Niedermayer wrote:
> Hi all
> 
> On Sat, Nov 09, 2024 at 05:18:08PM +0100, Michael Niedermayer wrote:
> > Hi all
> > 
> > Should we disable git accounts for developers who have not been active since
> > a long time (like 10 years) ?
> > 
> > (if these developers come back, the account would then be enabled again)
> > but disabling such accounts may improve security (lots of "if" here but
> > assuming they loose their key, assuming whoever gets hold of the key
> > has interrest and ability to attack ffmpeg and and and, the risk here
> > is likely low but not 0)
> 
> I count currently 127 people with git write access
> above suggestion would disable around 33 accounts.
> 
> I cannot show the list because of GDPR
> but the remaining 127-33 accounts are on this list:
> git log  --since 10.years --first-parent --pretty=fuller | grep '^Commit:' | sort | uniq
> 
> Note that above command will not produce a clean list. It requires manual
> cleanup, "Commit:" is just a text field and not everything thats in that field
> has or had a write account. But I cannot post peoples names or email addressed
> 
> If i hear noone objecting to this (and there are already multiple people
> in favor) then i will disable the 33 accounts in a few days

I have rechecked this situation and IIUC the GDPR has some exceptions
for cases where its in teh public interrest. I think listing who has
git write of a public project like FFmpeg is in the public interrest
and that transparency weighs heavier

So heres the list of people who will have git write access after dormant
accounts are disabled. All the ones here where active in the last 10 years
as a committer in FFmpeg. Noone is added, everyone from this list had access
before

mstorsjo ajacobs akhirnov cehoyos ngeorge thardin rdoeffinger rsbultje mniedermayer pross rpinochet ssabatini bcoudurier ahannula rpolla compn benoit philipl gbeauchesne ubitux beastd durandal daemon404 pasteeater wm4 jamrial lukaszm jzern andreasc timo rostislav nevcairiel claudio gramner cus thilo pedro arttu vesselin timothygu mattoliver rcombs mateo gajjanag kierank jamesdarnley tvolkert mfaiz rkern kswanson jkqxz josh pburt jansebechlebsky aconverse stevenliu mjbshaw bangnoise vittorio tobiasrapp agupta foo86 jeeb martinv jorge kjeyapal junzhao gyan pavel lizhong laurikasanen songruiling yejunguo hwren jluthra agelman arheinhardt lmwang linjiefu zanevi shutchinson haihao haasn zhilizhao leoizen pal courmisch lynne dmitrii nuomi bsmith feiwan ePirat marth64

(some people above have 2 keys, these duplciates where removed)

I intend to wait a few more days before updating the list so people
can review this. Mistakes are not impossible as i had to match these
to teh emails from git by hand

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who are too smart to engage in politics are punished by being
governed by those who are dumber. -- Plato 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20241113/45559714/attachment.sig>

More information about the ffmpeg-devel mailing list