-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PROPOSAL: Automatically remove approvers or maintainers with zero Dapr activity (group only) #445
Comments
@msfussell @yaron2 After given enough time for community discussion, can STC vote on this? |
@artursouza Yes, we will bring this to the Feb STC meeting. For example Amulya Varote (Microsoft) @amulyavarote has not been active as a maintainer for over a year having moved projects |
I think 3 months / quarter is a fair point. You've made it clear the idea isn't related to revoking the status but more about maintaining integrity and protection against exposed accounts with write/admin access.
I think the job and associated scripts alongside issues created should be housed in a separate repo. i.e. |
Suggest that the script pings the maintainers after 3 months of non-activity. This can either be an email, or create an issue on the community repo and put a comment in this issue that then pings the github handle |
This proposal approved by STC |
For security reasons, I propose we automate the removal of an user from approvers or maintainers groups if they did not have any GitHub activity on any Dapr repository for the past 6 months. This proposal is NOT to revoke the user's approver or maintainer status, it is just to remove from the group for security reasons, since it is unsafe to keep inactive accounts with write or admin permission. Also, this proposal does not make a distinction about which repositories the person is participating to remain "active". To track when a person is automatically removed, an issue should be automatically created and serve as a thread to discuss the person's membership status or for the person request to have access added again. In case the person wants to be re-added to the groups, the person would need to perform any "activity" - like simply commenting on an issue.
Summary:
Feedback on this proposal is welcome. The following points are specially important:
Regarding discussions about automatically revoking a person's approver or maintainer status, please, discuss in another issue. This issue is to address a security concern.
The text was updated successfully, but these errors were encountered: