[fdo] [PROPOSAL] Expiring accounts

[Tollef Fog Heen]

(sent to freedesktop@ and sitewranglers@, please keep the discussion on
freedesktop@)

Hi all,

currently we have a bit more than 700 user accounts on
freedesktop.org. I suspect some of those are no longer active, but we
currently have no way of detecting this.  Some other large projects like
Debian and Fedora try to detect activity through SSH logins, mailing
list activity, etc.  Ubuntu requires explicit group renewal for at least
some of the groups, if not all.

The nice thing about using heuristics is it is less work for the people
who use the service.  The downside is it is more work to set up and
maintain and it will have both false positives and negatives.  Explicit
confirmation has false positives for mail that gets lost because of
wrong forwarding or too tight spam filters, but should not have false
negatives.  It is also lightweight on the admin resources.

My suggestion is therefore to require people to reconfirm their
freedesktop.org account once a year.  A simple way of doing this would
be to send out a mail with a token to each person and requiring a signed
reply saying «Please keep my account» with the same token.  This would
also ensure we have relativetly up-to-date email forwarding set up for
all users and that people at least have access to their GPG key.

Feedback welcome, of course.
-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are