1 |
On Fri, 21 Dec 2012 17:57:44 +0100 |
2 |
Diego Elio Pettenò <flameeyes@×××××××××.eu> wrote: |
3 |
|
4 |
> > If someone has at some point contributed to Gentoo then why not let |
5 |
> > them keep their user around, should they want to come back. Of |
6 |
> > course this doesn't work retroactively, but I think it would be a |
7 |
> > cool tip of the hat to current and future developers. |
8 |
> |
9 |
> ... the users generally are kept, and locked, but also one of the |
10 |
> things that is done is archiving their home directory on dev.g.o as |
11 |
> it might be taking quite an amount of space. |
12 |
|
13 |
|
14 |
At my day job I'm the retirer (or BOFH depending who you speak to). |
15 |
I'll describe mt process, maybe you fellows can use it. |
16 |
|
17 |
Retiring people is too much effort, reinstating them doubly so; we |
18 |
all have better things to do with our time. There's only 3 things that |
19 |
get you retired or remvoed: |
20 |
|
21 |
1. Resign from the company |
22 |
2. Dramatically change your entire job (like move from technical to |
23 |
sales) |
24 |
3. Prove I was wrong giving you access at all (i.e show a long history |
25 |
of stupid, or demonstrate malice) |
26 |
|
27 |
Most systems are Operations, so people who need access will do so at |
28 |
least once in 90 days to keep the account alive. If the account is not |
29 |
used in a 90 day period, it is parked (essentially "locked", but the |
30 |
user can unlock it by going to a specific web site and auth'ing using |
31 |
two-factor (password and hardware dongle) |
32 |
|
33 |
There's a small list of exceptions for people where 90 days does not |
34 |
apply, like for me. I need access to everything (I'm last call in any |
35 |
emergency) and most systems I rarely touch but I must not be locked out. |
36 |
|
37 |
What emerges out of this is the most security and ease for the smallest |
38 |
effort. Works for me :-) |
39 |
|
40 |
-- |
41 |
Alan McKinnon |
42 |
alan.mckinnon@×××××.com |