Re: [gentoo-dev] Re: Time based retirements

[Alan McKinnon <alan.mckinnon@gmail.com>]

On Fri, 21 Dec 2012 17:57:44 +0100
Diego Elio Pettenò <flameeyes@flameeyes.eu> wrote:

> > If someone has at some point contributed to Gentoo then why not let
> > them keep their user around, should they want to come back. Of
> > course this doesn't work retroactively, but I think it would be a
> > cool tip of the hat to current and future developers.  
> 
> ... the users generally are kept, and locked, but also one of the
> things that is done is archiving their home directory on dev.g.o as
> it might be taking quite an amount of space.


At my day job I'm the retirer (or BOFH depending who you speak to).
I'll describe mt process, maybe you fellows can use it.

Retiring people is too much effort, reinstating them doubly so; we
all have better things to do with our time. There's only 3 things that
get you retired or remvoed:

1. Resign from the company
2. Dramatically change your entire job (like move from technical to
sales)
3. Prove I was wrong giving you access at all (i.e show a long history
of stupid, or demonstrate malice)

Most systems are Operations, so people who need access will do so at
least once in 90 days to keep the account alive. If the account is not
used in a 90 day period, it is parked (essentially "locked", but the
user can unlock it by going to a specific web site and auth'ing using
two-factor (password and hardware dongle)

There's a small list of exceptions for people where 90 days does not
apply, like for me. I need access to everything (I'm last call in any
emergency) and most systems I rarely touch but I must not be locked out.

What emerges out of this is the most security and ease for the smallest
effort. Works for me :-)

-- 
Alan McKinnon
alan.mckinnon@gmail.com