Re: [Savannah-hackers-public] Remove resume feature to prevent abuse?

[John Sullivan]

Ineiev  writes:

> On Thu, Mar 14, 2019 at 12:43:13AM -0400, John Sullivan wrote:
>> 
>> What are the benefits to removing inactive accounts?
>> 
>> I named one, which is security.
>
> I don't think I understand the threats in question very well.
>

I am not the expert on Savannah's specifics here, but in general two
security risks from old accounts are:

1) people re-use passwords and usernames on multiple sites. The impact
of any breach is magnified by the number of accounts; so it is a
needless risk magnifier to have lots of old unused accounts around

2) old abandoned accounts that have commit or other kinds of access pose
increased security risks to the projects themselves, because it tends to
be true that their credentials are not as well protected by their
original owners 

-john

-- 
John Sullivan | Executive Director, Free Software Foundation
GPG Key: A462 6CBA FF37 6039 D2D7 5544 97BA 9CE7 61A0 963B
https://status.fsf.org/johns | https://fsf.org/blogs/RSS

Do you use free software? Donate to join the FSF and support freedom at
.

Re: [Savannah-hackers-public] Remove resume feature to prevent abuse?

[Ineiev]

On Tue, Mar 12, 2019 at 11:40:17PM -0400, Svetlana Tkachenko wrote:
> I guess there is the possibility to use git and cvs etc hooks to update a
> field in the userinfo at savannah

I think it may be.


signature.asc
Description: Digital signature

Re: [Savannah-hackers-public] Remove resume feature to prevent abuse?

[Ineiev]

On Thu, Mar 14, 2019 at 12:43:13AM -0400, John Sullivan wrote:
> 
> What are the benefits to removing inactive accounts?
> 
> I named one, which is security.

I don't think I understand the threats in question very well.


signature.asc
Description: Digital signature