Long-term inactive committers represent a potential security risk
Long-term inactive committers represent a potential security risk.
Section 3.1 of the Eclipse Foundation Development Process grants:
The EMO has the responsibility and authority to mitigate issues that arise when Committers fail to perform the required behaviors or engage in practices that risk harm to Eclipse Projects, the community, and/or Ecosystem.
It goes on to say that:
The EMO’s authority includes, but is not limited to, the ability grant specific individuals equivalent to Committer privileges, suspend access to Project resources, add or remove Committers and Project Leads, and—in extreme cases—terminate the Project.
I believe that we can include retiring inactive committers on the basis that an abandoned account represents a real risk harm to the project and ecosystem.
Do we need to add more on this topic to the EDP, or is this something that we can handle with some supporting documentation and best practices?
Can we keep this simple? Should we, for example, decide that after one year of inactivity we retire an account from all committer roles? My thinking is that any activity from the account, including contributions to projects on which the individual does not hold committer status, counts as activity. That is, we only retire committer roles for accounts that show signs of abandonment.
FWIW, the EMO has a practice of retiring committers when their contact information becomes invalid (e.g., they don't change their email address when they change companies) or they cease to be covered by a committer agreement (there's a few conditions under which this can occur).