On 3/12/2015 11:31 AM, Pierre Smits wrote: > The solution as described by Emmanuel and applied by Apache Directory > project is a good one.
The community mailing list is certainly a reasonable place to discuss this, but it's been discussed before. Note that If you're going to bring a discussion here from another conversation, it's helpful to provide links to what you are referring. I think Mark Thomas's reply hidden in the quoted text covers everything that needs to be said: - The PMC is responsible for reviewing all the commits made. - The security risks of leaving committer accounts active has been weighed and considered acceptable in other situations. - The decision is ultimately up to the individual PMCs to make as it is a social decision with no technical impact. My personal choice as a former security analyst would be to pro-actively remove access, but I accept and respect that the ASF as a whole has made a different decision, and I have not and would not suggest that the projects where I am a PMC member deviate from the standard practice. It did irk me the first time the discussion came up, but I got over it. :-) On Thu, Mar 12, 2015 at 11:38 AM, Kevin A. McGrail <kmcgr...@pccc.com> wrote: > On 3/12/2015 11:31 AM, Pierre Smits wrote: >> >> Including community dev as it seems appropriate. >> >> Offboarding is equally important as onboarding. The solution as described >> by Emmanuel and applied by Apache Directory project is a good one. If the >> PMC of project FOO wants to have done it differently, then it is their >> prerogative. > > We will have to agree to disagree because to me it's an apache way that > volunteers can step away and step back without giant hurdles. This isn't > about removing from a PMC but more about removing commit access seems like > an extraordinary step that should be done in rare situations. > > Regards, > KAM
