Simon Josefsson <[email protected]> writes: > I now realize that the MIA workflow is not particulary aligned with how > the Go team operates, but I don't see any problem here: the go team > tries to take care of all golang-* packages, so there is no problem with > someone just disappearing from the go team. Which seems to have > happened a couple of times in the past. I don't think the MIA team need > to worry a lot about golang-* packages for a MIA person. There is just > nothing to do in that case, except possibly remove someone from > Uploaders (which argues for making it optional).
Well, at some point we should remove them from Salsa. If they're no longer involved in Debian work at all, active Salsa credentials are a security concern without a purpose: It increases our attack surface for people who might have their credentials compromised by someone who then tries to insert some sort of malicious back door. We also should remove them from other ACLs such as DM upload ACLs if they're not active, for similar reasons. And if they're a full Debian Developer, they have a lot of other access that we should wind down if they have fully stepped away from Debian. I was assuming that this was what the MIA team was trying to do, not just worry about orphaning packages? I guess I'm still not sure I understand why Salsa activity isn't even better than presence in Uploaders or recent uploads to the archive for MIA team purposes, though. If someone is active in Salsa (committing changes to packages, merging MRs, etc.), then they're not MIA, no? (They could still be neglecting other duties, but IIRC the MIA team doesn't really handle that case, only people who have stopped contributing entirely.) -- Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>
