[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers] [support #103008] Account removal
From: |
Elfyn McBratney |
Subject: |
Re: [Savannah-hackers] [support #103008] Account removal |
Date: |
Wed, 14 Apr 2004 21:13:02 +0000 |
User-agent: |
KMail/1.6.1 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 14 Apr 2004 19:59, Sylvain Beucler wrote:
> It is not really related but:
> For changing e-mails:
> "I suggest that we follow this procedure:
>
> * Send a message to the address on file, and see if it bounces. If
> it doesn't bounce, then we must ask the original user why, and decide
> what to do on a case by case basis. We should be EXTREMELY reluctant
> -- if not outright REFUSE -- to change an email address if the one on
> file does not bounce.
>
> * If the mail does bounce, we should ask the user if they can
> produce any evidence that they once had that email address. The best
> evidence would be a GPG-signed message that is signed with a key that
> has both their old and new email address on it, and that the GPG key be
> available from a well-known public keyserver. While this could be
> forged, it would be substantial work to do so and could easily get
> discovered.
>
> (Note, this is why I say the key much be on a public keyserver.
> Even if they forge the key to refer to email addresses they don't
> control (i.e., generate a key that includes bogus info), putting on a
> public key server could likely flag the real owner of the email
> address.)
>
>
> * If they cannot use the GPG solution, I suppose we should accept
> any plausible explanation for why their old email address is bouncing
> (e.g., changed ISP). If someone truly wants to social engineer their
> way into commit access on a project, they can likely do it. We can't
> beat it; we can just make it some effort to succeed in such social
> engineering.
>
>
> Do any savannah-hackers object to this procedure? If not, then please
> go ahead with it."
> (bkuhn)
>
> In our case, the user still has access to access to the old account and
> posted the request with it. Moreover, there is indeed another account
> (maarten), which has a valid address (while stevenmaarten do not - just
> check the corresponding SF user page). So it should enough to delete
> the account w/o confirmation.
Thanks for that, Sylvain.
OK, I'll follow those guidelines in the future. I have deleted the
'stevenmaarten' user (user id 13930).
Elfyn
- --
Elfyn McBratney, EMCB
mailto:address@hidden
http://www.emcb.co.uk/
PGP Key ID: 0x456548B4
PGP Key Fingerprint:
29D5 91BB 8748 7CC9 650F 31FE 6888 0C2A 4565 48B4
"When I say something, I put my name next to it." -- Isaac Jaffee
>> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ <<
<< ~ Linux london 2.6.5-emcb-241 #2 i686 GNU/Linux ~ >>
>> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ <<
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAfaleaIgMKkVlSLQRAhBkAKCOutOleS5C/M2goUIRfZZf7Tb7+wCeMKcT
UBqECVoNzkbzRTRey9rJVBc=
=nb+8
-----END PGP SIGNATURE-----