Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.python > #17338 > unrolled thread

Thoughts on removing access to the Python teams repositories to inactive members ?

Back to article view | Back to linux.debian.maint.python

Contents

  Thoughts on removing access to the Python teams repositories to  inactive members ? Louis-Philippe Véronneau <pollo@debian.org> - 2026-01-12 18:20 +0100
      Re: Thoughts on removing access to the Python teams repositories to inactive  members ? Soren Stoutner <soren@debian.org> - 2026-01-12 18:30 +0100
      Re: Thoughts on removing access to the Python teams repositories to  inactive members ? Martin <debacle@debian.org> - 2026-01-12 21:50 +0100
        Re: Thoughts on removing access to the Python teams repositories to  inactive members ? Anton Gladky <gladk@debian.org> - 2026-01-12 22:10 +0100
          Re: Thoughts on removing access to the Python teams repositories to  inactive members ? Louis-Philippe Véronneau <pollo@debian.org> - 2026-01-12 22:10 +0100
            Re: Thoughts on removing access to the Python teams repositories to  inactive members ? Craig Small <csmall@debian.org> - 2026-01-12 22:40 +0100
              Re: Thoughts on removing access to the Python teams repositories to  inactive members ? Louis-Philippe Véronneau <pollo@debian.org> - 2026-01-12 22:50 +0100
                Re: Thoughts on removing access to the Python teams repositories to inactive members ? Dominik George <natureshadow@debian.org> - 2026-01-12 23:00 +0100
                  Re: Thoughts on removing access to the Python teams repositories to  inactive members ? Louis-Philippe Véronneau <pollo@debian.org> - 2026-01-12 23:10 +0100
                      Re: Thoughts on removing access to the Python teams repositories to inactive  members ? Soren Stoutner <soren@debian.org> - 2026-01-12 23:30 +0100
          Re: Thoughts on removing access to the Python teams repositories to  inactive members ? Nicholas D Steeves <sten@debian.org> - 2026-01-14 01:30 +0100
    Re: Thoughts on removing access to the Python teams repositories to inactive members ? Dominik George <natureshadow@debian.org> - 2026-01-12 22:30 +0100
      Re: Thoughts on removing access to the Python teams repositories to  inactive members ? Arian Ott <arian.ott@ieee.org> - 2026-01-12 22:50 +0100
    Re: Thoughts on removing access to the Python teams repositories to  inactive members ? Nicholas D Steeves <sten@debian.org> - 2026-01-17 23:50 +0100
      Re: Thoughts on removing access to the Python teams repositories to  inactive members ? Nicholas D Steeves <sten@debian.org> - 2026-01-20 05:10 +0100
    Re: Thoughts on removing access to the Python teams repositories to  inactive members ? Louis-Philippe Véronneau <pollo@debian.org> - 2026-01-20 20:00 +0100

#17338 — Thoughts on removing access to the Python teams repositories to inactive members ?

Hello!

I'm frequently replying to people asking to join the Python Team and as 
per our policy, we are pretty liberal in granting access to our 
repositories :)

That's great, but of course, the more people have access to the 
repositories, the more potential for abuse.

There are currently 539 members of the team on Salsa and some of these 
members haven't been active in the team for a while. I was wondering 
what people thought of removing access to accounts that haven't been 
active between 2023 to 2026.

I think a 3 years cutoff is fair? A quick look on Salsa lists around 75 
accounts that would meet that criteria.

Of course, people that would be removed could always ask to be added 
again, if they need access to a repository ;)

Cheers,

-- 
   ⢀⣴⠾⠻⢶⣦⠀
   ⣾⠁⢠⠒⠀⣿⡁  Louis-Philippe Véronneau
   ⢿⡄⠘⠷⠚⠋   pollo@debian.org / veronneau.org
   ⠈⠳⣄

[toc] | [next] | [standalone]

#17340 — Re: Thoughts on removing access to the Python teams repositories to inactive members ?

[Multipart message — attachments visible in raw view] — view raw

On Monday, January 12, 2026 10:11:57 AM Mountain Standard Time Louis-Philippe 
Véronneau wrote:
> Hello!
> 
> I'm frequently replying to people asking to join the Python Team and as
> per our policy, we are pretty liberal in granting access to our
> repositories :)
> 
> That's great, but of course, the more people have access to the
> repositories, the more potential for abuse.
> 
> There are currently 539 members of the team on Salsa and some of these
> members haven't been active in the team for a while. I was wondering
> what people thought of removing access to accounts that haven't been
> active between 2023 to 2026.
> 
> I think a 3 years cutoff is fair? A quick look on Salsa lists around 75
> accounts that would meet that criteria.
> 
> Of course, people that would be removed could always ask to be added
> again, if they need access to a repository ;)

That sounds like a wise policy.  I would recommending posting the list of 
names to be removed to the mailing list and allowing anyone on the list a week 
or so to respond describing their desires to continue as a member of the team 
before removal.

-- 
Soren Stoutner
soren@debian.org

[toc] | [prev] | [next] | [standalone]

#17341

On 2026-01-12 10:23, Soren Stoutner wrote:
> On Monday, January 12, 2026 10:11:57 AM Mountain Standard Time Louis-Philippe 
> Véronneau wrote:
>> I think a 3 years cutoff is fair? A quick look on Salsa lists around 75
>> accounts that would meet that criteria.
>>
>> Of course, people that would be removed could always ask to be added
>> again, if they need access to a repository ;)
>
> That sounds like a wise policy.  I would recommending posting the list of 
> names to be removed to the mailing list and allowing anyone on the list a week 
> or so to respond describing their desires to continue as a member of the team 
> before removal.

+1

[toc] | [prev] | [next] | [standalone]

#17342

Hello,

thanks for raising this!

I support this proposal but would suggest not to post a list of names on the
public mailing list, as some people may not feel comfortable
being publicly listed as inactive.

Maybe we could contact them directly (for example with an
automated email) and set an access expiration date via the gitlab
API.

Best regards

Anton

Am Mo., 12. Jan. 2026 um 21:40 Uhr schrieb Martin <debacle@debian.org>:
>
> On 2026-01-12 10:23, Soren Stoutner wrote:
> > On Monday, January 12, 2026 10:11:57 AM Mountain Standard Time Louis-Philippe
> > Véronneau wrote:
> >> I think a 3 years cutoff is fair? A quick look on Salsa lists around 75
> >> accounts that would meet that criteria.
> >>
> >> Of course, people that would be removed could always ask to be added
> >> again, if they need access to a repository ;)
> >
> > That sounds like a wise policy.  I would recommending posting the list of
> > names to be removed to the mailing list and allowing anyone on the list a week
> > or so to respond describing their desires to continue as a member of the team
> > before removal.
>
> +1
>

[toc] | [prev] | [next] | [standalone]

#17343

On 2026-01-12 16:01, Anton Gladky wrote:
> Hello,
> 
> thanks for raising this!
> 
> I support this proposal but would suggest not to post a list of names on the
> public mailing list, as some people may not feel comfortable
> being publicly listed as inactive.

I understand the feeling but:

1. It's inactivity _in the Debian Python team_ only. That doesn't mean 
these people aren't active members of the Debian community :)

2. That info is already public: 
https://salsa.debian.org/groups/python-team/packages/-/group_members?sort=oldest_last_activity

> Maybe we could contact them directly (for example with an
> automated email) and set an access expiration date via the gitlab
> API.

If someone wants to write a script that poll the Gitlab API and run such 
a service, it would really be cool! I'm not planning on doing that 
though, I'll mostly go "click click click" for a few minutes on the web 
interface and be done with it :P

-- 
   ⢀⣴⠾⠻⢶⣦⠀
   ⣾⠁⢠⠒⠀⣿⡁  Louis-Philippe Véronneau
   ⢿⡄⠘⠷⠚⠋   pollo@debian.org / veronneau.org
   ⠈⠳⣄

[toc] | [prev] | [next] | [standalone]

#17345

[Multipart message — attachments visible in raw view] — view raw

Hi,
  I think this idea is good security hygiene. A 3+ years list would help in
a way because it can bring up corner cases or problems wirh the filtering
method, such as:

On Tue, 13 Jan 2026, 8:06 am Louis-Philippe Véronneau, <pollo@debian.org>
wrote:

>
> 1. It's inactivity _in the Debian Python team_ only. That doesn't mean
> these people aren't active members of the Debian community :)
>
> 2. That info is already public:
>
> https://salsa.debian.org/groups/python-team/packages/-/group_members?sort=oldest_last_activity


The first item doesn't match the second there.

If the intent is to remove people from the Python team due to not doing
anything with the Python team for (say) 3 years you'll need to look for
that info elsewhere.

That list is sorted by any salsa activity.  For example it says my last
activity was 6 Jan 2026, which it was for the Debian project.

My last Python activity was February 2025.

Now  on that list for 3+ years means they've done nothing on Salsa anywhere
so definitely they've not done anything in the Python project, so its a
good start but won't meet the full goal.

 - Craig

[toc] | [prev] | [next] | [standalone]

#17346

On 2026-01-12 16:25, Craig Small wrote:
> That list is sorted by any salsa activity.  For example it says my last
> activity was 6 Jan 2026, which it was for the Debian project.

Oh, how disappointing... I don't see a simple way to get per-project 
user activity though.

I guess I would propose to use general Salsa activity if no one proposes 
a better solution :(

-- 
   ⢀⣴⠾⠻⢶⣦⠀
   ⣾⠁⢠⠒⠀⣿⡁  Louis-Philippe Véronneau
   ⢿⡄⠘⠷⠚⠋   pollo@debian.org / veronneau.org
   ⠈⠳⣄

[toc] | [prev] | [next] | [standalone]

#17348 — Re: Thoughts on removing access to the Python teams repositories to inactive members ?

>Oh, how disappointing... I don't see a simple way to get per-project user activity though.
>
>I guess I would propose to use general Salsa activity if no one proposes a better solution :(

Maybe don't kick out DDs at all.

I mean, they can just upload whatever they want, without ever commiting to git, so…?

[toc] | [prev] | [next] | [standalone]

#17349

On 2026-01-12 16:55, Dominik George wrote:
>> Oh, how disappointing... I don't see a simple way to get per-project user activity though.
>>
>> I guess I would propose to use general Salsa activity if no one proposes a better solution :(
> 
> Maybe don't kick out DDs at all.
> 
> I mean, they can just upload whatever they want, without ever commiting to git, so…?
> 

That sounds ... complicated? AFAIU, new accounts don't have "-guest" 
appended to them anymore, and I don't think anything is forcing DDs to 
use the same Salsa username as their Debian login.

Looking at the membership of the debian group [1] would probably be a 
good way to go [2], but again, we're pretty far in the "this requires a 
script using the Gitlab API" territory and I don't plan on doing that :)

Honestly, if we're only using the global Salsa activity (instead of the 
currently non-existing Debian Python Team activity), I think it's safe 
to kick everyone from the team who hasn't been active in 3 years.

[1]: https://salsa.debian.org/groups/debian/-/group_members
[2]: 
https://wiki.debian.org/Salsa/Doc#Collaborative_Maintenance:_.22Debian.22_group

-- 
   ⢀⣴⠾⠻⢶⣦⠀
   ⣾⠁⢠⠒⠀⣿⡁  Louis-Philippe Véronneau
   ⢿⡄⠘⠷⠚⠋   pollo@debian.org / veronneau.org
   ⠈⠳⣄

[toc] | [prev] | [next] | [standalone]

#17350 — Re: Thoughts on removing access to the Python teams repositories to inactive members ?

[Multipart message — attachments visible in raw view] — view raw

On Monday, January 12, 2026 3:09:17 PM Mountain Standard Time Louis-Philippe 
Véronneau wrote:
> On 2026-01-12 16:55, Dominik George wrote:
> Honestly, if we're only using the global Salsa activity (instead of the
> currently non-existing Debian Python Team activity), I think it's safe
> to kick everyone from the team who hasn't been active in 3 years.

I would agree with that.  I think we just send an email to the list with the 
names and remove them if there is no response.  The example response we did 
receive would be sufficient in my mind to not remove a person for an 
additional year.

-- 
Soren Stoutner
soren@debian.org

[toc] | [prev] | [next] | [standalone]

#17356

[Multipart message — attachments visible in raw view] — view raw

Anton Gladky <gladk@debian.org> writes:

> Hello,
>
> thanks for raising this!
>
> I support this proposal but would suggest not to post a list of names on the
> public mailing list, as some people may not feel comfortable
> being publicly listed as inactive.

+1 because it implausible that most inactive members are following team
messages.  Thus, this action has two effects:

  1. Providing a public record that an inactive member was contacted.
  2. What may feel like shame culture.

> Maybe we could contact them directly (for example with an
> automated email) and set an access expiration date via the gitlab
> API.
>

Given that our social contract requires us to act in and assume good
faith, it seems to be that a public announcement that a list exists and
that members have been contacted will be sufficient.

Anton, do you know if Gitlab would notify members of pending operations
like this?

Cheers,
Nicholas

[toc] | [prev] | [next] | [standalone]

#17344 — Re: Thoughts on removing access to the Python teams repositories to inactive members ?

>There are currently 539 members of the team on Salsa and some of these members haven't been active in the team for a while. I was wondering what people thought of removing access to accounts that haven't been active between 2023 to 2026.
>
>I think a 3 years cutoff is fair? A quick look on Salsa lists around 75 accounts that would meet that criteria

I think I might meet this criterion, but please don't remove me. I just planned to get my Python packages sorted at the next MiniDebCamp.

-nik

[toc] | [prev] | [next] | [standalone]

#17347

On Mon, 12 Jan 2026 at 22:42, Nadzeya Hutsko <nadzya.info@gmail.com> wrote:
>
> > I think I might meet this criterion, but please don't remove me. I just planned to get my Python packages sorted at the next MiniDebCamp.
>
> I think it would make sense also not to remove people who recently
> joined the team as they might not have had time/opportunity to make
> their first contribution yet.
>

As far as I understand this discussion, only inactive accounts would be removed.


-- 
---
Arian
arian.ott@ieee.org

[toc] | [prev] | [next] | [standalone]

#17371

[Multipart message — attachments visible in raw view] — view raw

Hi Thomas!

Thomas Goirand <zigo@debian.org> writes:

> Hi,
>
> I agree with what's been said as reply: this is a very good idea, but 
> please exclude DDs and DMs from removal list.
>
> BTW, as a Salsa admin, I thought that maybe, we should do the same thing 
> globally: at least *lock* inactive accounts with the rule:
>
> - no activity for 3 years
> - account created at least 6 months ago
> - not a DD
>
> Any other criteria?
>
> Anyone to help me to write such a shell script? :)

Maybe base it on the GNOME project's Gitlab script?  As a one-off
contributor to upstream GNOME (three years ago, I think) I just received
a deactivation email, which also said this:

> To reactivate your account, sign in to GitLab at https://gitlab.[foo].org.

So maybe a check-in with a team somewhere to revalidate the credentials
socially (ie the web of trust vis à vis the supply chain thing)?

Best,
Nicholas

[toc] | [prev] | [next] | [standalone]

#17374

[Multipart message — attachments visible in raw view] — view raw

CCing MIA team in case they have a script that does what we're
discussing, and because stale-Gitlab-account detection seems like
something they might be interested in.

Thomas Goirand <zigo@debian.org> writes:

> On 1/17/26 11:42 PM, Nicholas D Steeves wrote:
>> Thomas Goirand <zigo@debian.org> writes:
>>>
>>> BTW, as a Salsa admin, I thought that maybe, we should do the same
>>> thing globally: at least *lock* inactive accounts with the rule:
[snip]
>>> Anyone to help me to write such a shell script? :)
>> 
>> Maybe base it on the GNOME project's Gitlab script?
>
> Where to find it?

Sorry, I don't know; maybe someone on the GNOME team does?  Also, I'm
assuming upstream GNOME's Gitlab has a script...  Meanwhile, if GNOME
and KDE (which I just learned also switched to Gitlab) don't have a
script, and we all pay for non-free Gitlab, maybe Gitlab would be
willing write this feature if all of us write to Gitlab?  It sounds like
we want:

  1. A function that will output a data structure that contains all
  accounts that haven't been used for an activity during a period; this
  function would check messaging, MR review activity, commits, etc.  And
  we want for a namespace/team admin to be able to query activity for
  that namespace/team.  Should the global scope be salsa admin[s] only
  (ie: maybe it's too resource-intensive)?
  2. Filter that list to exclude accounts like an ACL like DD.
  3. Ideally have a nice interface with checkboxes?
  4. Notify user and give the user a chance to reactivate account to
  active status.
  5. Maybe this feature could remind about MRs too, and/or be folded
  into some kind of stale-notify-decruft-section functionality?
  6. Maybe run it as an scheduled job?

Alternatively, this seems like a nice defensive policy to have thing for
any Community Gitlab instance, so maybe the larger community would like
to work on this together?  Maybe they already have?  Does this sound
more like a leadership by example thing like reprobuild, or like a
Debian working with other projects and communities for better policies
and tools in an era of supply chain attacks?

Cheers,
Nicholas

[toc] | [prev] | [next] | [standalone]

#17376

On 2026-01-16 06:10, Thomas Goirand wrote:
> On 1/12/26 6:11 PM, Louis-Philippe Véronneau wrote:
>> Hello!
>>
>> I'm frequently replying to people asking to join the Python Team and 
>> as per our policy, we are pretty liberal in granting access to our 
>> repositories :)
>>
>> That's great, but of course, the more people have access to the 
>> repositories, the more potential for abuse.
>>
>> There are currently 539 members of the team on Salsa and some of these 
>> members haven't been active in the team for a while. I was wondering 
>> what people thought of removing access to accounts that haven't been 
>> active between 2023 to 2026.
>>
>> I think a 3 years cutoff is fair? A quick look on Salsa lists around 
>> 75 accounts that would meet that criteria.
>>
>> Of course, people that would be removed could always ask to be added 
>> again, if they need access to a repository ;)
>>
>> Cheers,
> 
> Hi,
> 
> I agree with what's been said as reply: this is a very good idea, but 
> please exclude DDs and DMs from removal list.
> 
> BTW, as a Salsa admin, I thought that maybe, we should do the same thing 
> globally: at least *lock* inactive accounts with the rule:
> 
> - no activity for 3 years
> - account created at least 6 months ago
> - not a DD
> 
> Any other criteria?
> 
> Anyone to help me to write such a shell script? :)
That would be great! I don't have any spoons for that, but it would 
indeed be a better idea than doing this at the team level.

-- 
   ⢀⣴⠾⠻⢶⣦⠀
   ⣾⠁⢠⠒⠀⣿⡁  Louis-Philippe Véronneau
   ⢿⡄⠘⠷⠚⠋   pollo@debian.org / veronneau.org
   ⠈⠳⣄

[toc] | [prev] | [standalone]

Back to top | Article view | linux.debian.maint.python

csiph-web