| Message ID | 20161121173044.7114-1-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | 08d3b9ad912054833327a895c27abb52716ed6e5 |
| Headers | show |
On Mon, Nov 21, 2016 at 06:30:44PM +0100, Michael Niedermayer wrote: > I omitted developers who do not use their account and i felt would prefer not > to be listed. > I think everyone using their account should be listed if we list anyone > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > MAINTAINERS | 25 +++++++++++++++++++++++++ > 1 file changed, 25 insertions(+) applied [...]
On Mon, 21 Nov 2016, Michael Niedermayer wrote: > I omitted developers who do not use their account and i felt would prefer not > to be listed. I think everyone with access should be listed. If somebody does not use his account for a year or so, his/her access should be revoked. Regards, Marton
On Fri, Nov 25, 2016 at 11:11:23AM +0100, Marton Balint wrote: > > On Mon, 21 Nov 2016, Michael Niedermayer wrote: > > >I omitted developers who do not use their account and i felt would prefer not > >to be listed. > > I think everyone with access should be listed. If somebody does not > use his account for a year or so, his/her access should be revoked. i think 1 year is too short [...]
On 11/25/2016 9:15 AM, Michael Niedermayer wrote: > On Fri, Nov 25, 2016 at 11:11:23AM +0100, Marton Balint wrote: >> >> On Mon, 21 Nov 2016, Michael Niedermayer wrote: >> >>> I omitted developers who do not use their account and i felt would prefer not >>> to be listed. >> >> I think everyone with access should be listed. If somebody does not >> use his account for a year or so, his/her access should be revoked. > > i think 1 year is too short Same. We have developers that participate in discussions, reviews and even IRC chats that while committing stuff, they do it rarely. The basis for removing access should not be how long it's been since the last time they pushed something but how long it's been since they gave sings of being alive and around.
On Fri, 25 Nov 2016 10:31:58 -0300 James Almer <jamrial@gmail.com> wrote: > On 11/25/2016 9:15 AM, Michael Niedermayer wrote: > > On Fri, Nov 25, 2016 at 11:11:23AM +0100, Marton Balint wrote: > >> > >> On Mon, 21 Nov 2016, Michael Niedermayer wrote: > >> > >>> I omitted developers who do not use their account and i felt would prefer not > >>> to be listed. > >> > >> I think everyone with access should be listed. If somebody does not > >> use his account for a year or so, his/her access should be revoked. > > > > i think 1 year is too short > > Same. We have developers that participate in discussions, reviews and even > IRC chats that while committing stuff, they do it rarely. > > The basis for removing access should not be how long it's been since the > last time they pushed something but how long it's been since they gave sings > of being alive and around. If they use it that rarely, someone else can push for them.
On Fri, 25 Nov 2016, James Almer wrote: > On 11/25/2016 9:15 AM, Michael Niedermayer wrote: >> On Fri, Nov 25, 2016 at 11:11:23AM +0100, Marton Balint wrote: >>> >>> On Mon, 21 Nov 2016, Michael Niedermayer wrote: >>> >>>> I omitted developers who do not use their account and i felt would prefer not >>>> to be listed. >>> >>> I think everyone with access should be listed. If somebody does not >>> use his account for a year or so, his/her access should be revoked. >> >> i think 1 year is too short > > Same. We have developers that participate in discussions, reviews and even > IRC chats that while committing stuff, they do it rarely. > > The basis for removing access should not be how long it's been since the > last time they pushed something but how long it's been since they gave sings > of being alive and around. If you are worried about this, a revoking patch can be sent to the mailing list, so active people who care can respond and keep their rights. Regards, Marton
On Fri, 25 Nov 2016 11:11:23 +0100 (CET) Marton Balint <cus@passwd.hu> wrote: > > On Mon, 21 Nov 2016, Michael Niedermayer wrote: > > > I omitted developers who do not use their account and i felt would > > prefer not to be listed. > > I think everyone with access should be listed. If somebody does not > use his account for a year or so, his/her access should be revoked. any scientific reason why? -compn
On Sat, 26 Nov 2016, compn wrote: > On Fri, 25 Nov 2016 11:11:23 +0100 (CET) > Marton Balint <cus@passwd.hu> wrote: > >> >> On Mon, 21 Nov 2016, Michael Niedermayer wrote: >> >> > I omitted developers who do not use their account and i felt would >> > prefer not to be listed. >> >> I think everyone with access should be listed. If somebody does not >> use his account for a year or so, his/her access should be revoked. > > any scientific reason why? > In an open source project, the list of people with commit rights should be public. Revoking unused accounts is a simple security measure against lost/compromised private keys. Regards, Marton
On Sat, 26 Nov 2016 17:15:36 +0100 (CET) Marton Balint <cus@passwd.hu> wrote: > > On Sat, 26 Nov 2016, compn wrote: > > > On Fri, 25 Nov 2016 11:11:23 +0100 (CET) > > Marton Balint <cus@passwd.hu> wrote: > > > >> > >> On Mon, 21 Nov 2016, Michael Niedermayer wrote: > >> > >> > I omitted developers who do not use their account and i felt > >> > would prefer not to be listed. > >> > >> I think everyone with access should be listed. If somebody does not > >> use his account for a year or so, his/her access should be revoked. > > > > any scientific reason why? > > > > In an open source project, the list of people with commit rights > should be public. > no problem > Revoking unused accounts is a simple security measure against > lost/compromised private keys. so unlikely that i cannot even imagine the odds. -compn
Le sextidi 6 frimaire, an CCXXV, compn a écrit :
> so unlikely that i cannot even imagine the odds.
Any scientific reason why?
Regards,
On Sat, 26 Nov 2016 18:05:52 +0100 Nicolas George <george@nsup.org> wrote: > Le sextidi 6 frimaire, an CCXXV, compn a écrit : > > so unlikely that i cannot even imagine the odds. > > Any scientific reason why? if one wants to be worried about security issues, there are bigger fish to fry. for one example, how about any and all patches applied to ffmpeg by various distros ? https://lists.debian.org/debian-security-announce/2008/msg00152.html because this is a real threat to our users' security. not some lost commit key. we should be analyzing all distro patches and making sure all CVE fixes get applied by distros as well. our other developer policies help to mitigate any lost/stolen commit keys anyway. public patch posting and mailing list review, static code analyzing etc. has any developer come back from the proverbial "dead" , like say fabrice, to make a new commit? no. would we take notice if he did? yes of course. have developers had write access, been hired by large multinational corporations, stopped developing ffmpeg as a hobby, and then come back years later to work on ffmpeg as part of their employment? yes! multiple times. just my personal opinion. theres really not much difference between keeping old author accounts or deleting old author accounts from a real world perspective. one plan just takes some precious time away from the busy developer. because he has to make a list, and check it twice, just to find out who is naughty and who is nice. he sees when you are active... he sees when you are inactive... -compn (help, i've had far too much eggnog.)
Le sextidi 6 frimaire, an CCXXV, compn a écrit : > if one wants to be worried about security issues, there are bigger fish > to fry. Hardly ever a valid argument. > for one example, how about any and all patches applied to ffmpeg by > various distros ? > because this is a real threat to our users' security. No, they are not our users, and therefore not our responsibility. > has any developer come back from the proverbial "dead" , like say > fabrice, to make a new commit? no. Therefore, revoking the key is no problem.
diff --git a/MAINTAINERS b/MAINTAINERS index ffed64f..e80cd23 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -525,6 +525,31 @@ Sparc Roman Shaposhnik OS/2 KO Myung-Hun +Developers with git write access who are currently not maintaining any specific part +==================================================================================== +Alex Converse +Andreas Cadhalpun +Anuradha Suraparaju +Ben Littler +Benjamin Larsson +Bobby Bingham +Daniel Verkamp +Derek Buitenhuis +Ganesh Ajjanagadde +Henrik Gramner +Ivan Uskov +James Darnley +Joakim Plate +Kieran Kunhya +Kirill Gavrilov +Martin Storsjö +Panagiotis Issaris +Pedro Arthur +Sebastien Zwickert +wm4 +(this list is incomplete) + + Releases ========
I omitted developers who do not use their account and i felt would prefer not to be listed. I think everyone using their account should be listed if we list anyone Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- MAINTAINERS | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+)