On Mon, 18 Jun 2018 at 06:43 Nick Coghlan ncoghlan@gmail.com wrote:
On 18 June 2018 at 18:07, M.-A. Lemburg mal@egenix.com wrote:
Overall, I think that removing repo or bpo permissions should be kept separate from the status itself. It would probably be wise to send around reminders to all core devs who have access and have not used their permissions every few year. The keys of those who don't respond could then be disabled, without affecting anything else; and, of course, easily be reenabled if needed, without much process either.
Aye, that's the key concept behind adding an explicit "Dormant" status for core developers - they're folks that are still trusted with core commit privileges if they choose to exercise them, but while they're not using their access, it's better to deactivate their credentials to reduce the potential for compromise.
We'd add a note to the developer guide that gave instructions on how to request reactivation (likely just "Check the developer guide to ensure you're up to speed with any changes since you were last active, then past to python-committers requesting that your credentials be reactivated").
Right, no one's role of having been a core dev will be wiped from history, they just won't have the core dev logo next to their bugs.python.org username in the issue tracker (which if they are so dormant to have not added their GitHub username then they probably don't care about that anyway ;) . And flipping everything back on is a radio button and a word in bugs.python.org if their triage rights are removed and clicking on a button on a web page on GitHub if we clean up for dev access on the repository.