[FFmpeg-devel] [RFC] dormant git accounts
Leo Izen
leo.izen at gmail.com
Wed Nov 13 19:29:22 EET 2024
On 11/9/24 11:18 AM, Michael Niedermayer wrote:
> Hi all
>
> Should we disable git accounts for developers who have not been active since
> a long time (like 10 years) ?
>
> (if these developers come back, the account would then be enabled again)
> but disabling such accounts may improve security (lots of "if" here but
> assuming they loose their key, assuming whoever gets hold of the key
> has interrest and ability to attack ffmpeg and and and, the risk here
> is likely low but not 0)
>
> thx
Yes, clearly, but an issue has come up that apparently we don't know who
has access to our infrastructure. How do we not know this?
When michael gave me push access, he asked for my SSH public key,
presumably to add to an authorized_keys file somewhere. I presume since
he has write access to this file, he can also read it.
I'd imagine that some of these keys are not labeled who they belong to,
which is why we don't know. If the keys were all labeled we'd know who
they all belong to.
But regardless, I don't think anybody is opposed to having michael go
through and check which keys haven't been used in 10 years and removing
them from that authorized_keys file.
I'd even say that we may go as far and remove *every* key that is
unlabeled unless we can clearly establish who it belongs to and label it
as such. We need to know who these keys belong to so we can contact
those people if necessary or know who they are at all.
- Leo Izen (Traneptora)
More information about the ffmpeg-devel
mailing list