andrewmusselman opened a new issue, #727:
URL: https://github.com/apache/tooling-trusted-releases/issues/727
**ASVS Reference:** 6.3.2 (Finding 2)
### Description
In `atr/datasources/apache.py` (lines ~274–279), specific user accounts are
hardcoded as Tooling committee members, bypassing normal LDAP-based membership
discovery:
```python
async def _update_tooling(data: db.Session) -> tuple[int, int]:
tooling_committee.committee_members = ["wave", "sbp", "arm", "akm"]
tooling_committee.committers = ["wave", "sbp", "arm", "akm"]
tooling_committee.release_managers = ["wave"]
```
This creates a privilege persistence mechanism that cannot be revoked
through normal administrative processes and violates the principle of
centralized access management.
### Recommendation
Comment out the code and run a fresh ATR instance, check whether everything
still works
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
