Password Reset
Adam Williamson
awilliam at redhat.com
Wed Mar 11 21:56:05 UTC 2009
On Wed, 2009-03-11 at 11:54 -0700, Christopher Aillon wrote:
> On 03/11/2009 07:05 AM, Mike McGrath wrote:
> > On Wed, 11 Mar 2009, Colin Walters wrote:
> >> If the actual goal of the reset is to close off inactive accounts, we
> >> are restarting the 4 month timer when e.g. doing CVS commits
> >> hopefully?
> >>
> >
> > We've talked about that type of thing. It's more of a "wouldn't it be
> > nice". The problem is we've got thousands of contributors, relatively few
> > of them actually commit to cvs. So we could go around to figure out how
> > to make all of our various auth points report back but that's a lot of
> > work. The account system is the only common point of entry for every
> > contributor.
>
> So let's require to them to simply _log in_ to FAS to reset the timer
> (you need to do that to change passwords, anyway!).
>
> Then, if other groups want to implement the timer reset for CVS commits,
> wiki edits, openID usage, etc. they can, and nobody needs to worry
> because there is a way for everyone to reset the timer. Just some
> groups may have more.
That sounds like the most sensible thing I've read in this thread so
far. If the requirement is 'figure out who's active', the sensible
condition seems to be 'who's logged in interactively lately', not 'who
can be bothered to change their password in response to an email
request'.
This way has two other considerable advantages - it's transparent for
many people (since you have to log in for one reason or another anyway)
and you could just send the email to people who would be on the
'inactive list' as currently calculated, and not bother anyone else
about it.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
More information about the fedora-devel-list
mailing list