Remove Coordinator role of inactive coordinators on bugs.python.org

Hi,

I asked too many times Ezio Melotti and R. David Murray to give the bug triage permission to a contributor, so they decided to give me the “Coordinator” role on bugs.python.org I was worried that we had not enough “Coordinators”, but there are 26 Coordinators!

Problem: in the list, they are core devs who are inactive for more than 5 years. I’m worried about the security of bugs.python.org, since the authentication is a “simple” login/password: there is no 2-factor authentication (2FA).

For security reasons, I suggest to remove the Coordinator role from inactive coordinators. I’m not sure how to identify who is inactive. Maybe just iterate on the list and check online activity (mailing list, discourse, bug tracker, GitHub, etc.) of each coordinator?

Once we have a list of inactive coordinators: send them an email to ask them if they want to keep this role. If they want to keep it: do nothing. If they don’t reply in 1 month: remove the role.

If a coordinator comes back, we will give them immediately the role again. It’s only a matter of security.

Another issue with inactive coordinators is to have an idea of how many moderators we have to handle spam on bugs.python.org. Maybe they are way less than 26 persons looking frequently for spam?

Victor

I think this is a topic for @EWDurbin as director of infrastructure.

Maybe the list of coordinators should be made public somewhere? At the moment I don’t actually know who the coordinators are.

Removing inactive people from the list of coordinators sounds good. But I don’t think we should make assumptions based on lack of visible online activities. Many people still read emails to keep up, and I suppose the act of “coordinating” is not a visible one.

To start, I suggest emailing all the current coordinators and ask if they’re still active/want to keep the coordinator status.

The list is public but I don’t want to share the link right now because I don’t want to invite hackers to attempt to hack these accounts

When I proposed to check online activities, it is just to not spam coordonitors who are active. But since the list is short, we can maybe mail all coordinators

I’m happy to work to implement whatever the Core Devs and Steering Council agree on and notify those affected.

I don’t know if I’m a coordinator, but I’m happy to relinquish this role.

Is there any kind of audit log for when people use their “coordinator” powers? One elegant way to do this would be to pull out a list of everyone who’s actually used this in the last, say, year, then email the rest to thank them and tell them that they’ll be removed from the list in X days unless they speak up.

Victor showed me how to find the list of coordinators. You’re in it!

Oh, yay! Feel free to remove these perms.

We can make removing the role be part of becoming inactive. Otherwise we can clean up access like for GitHub admin access and simply heavily restrict it as we don’t need that many people to be able to add folks since it’s so low bandwidth.

There is an ongoing discussions about “inactive core developers”, but nothing happened in practice yet. So I propose to make the most obvious and least controversial change first: just remove the Coordinator role from inactive core devs on the bug tracker, for security reasons. It’s an hidden change, it doesn’t have to be announced or mentioned anywhere

By the way, I am a supporter of moving inactive core devs to a dedicated list. The PEP 13 has a paragraph about that:

There’s no time limit on core team membership. However, in order to provide the general public with a reasonable idea of how many people maintain Python, core team members who have stopped contributing are encouraged to declare themselves as “inactive”. Those who haven’t made any non-trivial contribution in two years may be asked to move themselves to this category, and moved there if they don’t respond. To record and honor their contributions, inactive team members will continue to be listed alongside active core team members; and, if they later resume contributing, they can switch back to active status at will. While someone is in inactive status, though, they lose their active privileges like voting or nominating for the steering council, and commit access.

Again, that would require more work: create such list of “inactive”/“emeritus” core devs, contact all core devs (+150?), not just 28 coordinators.

I prefer to start with a small step.

To be more explicit, I’m concerned by that the fact that XXX (hidden name) is still a Coordinator whereas he didn’t show up in Python since 2013 (6 years ago). Again, I would be very happy to give him back the Coordinator role as soon as he comes back. But in the meanwhile, I prefer to reduce the attack surface. It’s not like leaked password databases are uncommon on the Internet nowadays. See for example https://haveibeenpwned.com/ I checked his email address and this website says " Pwned on 8 breached sites and found 1 paste"… He didn’t change his bugs.python.org password since 2011…

If someone has a good reason to not remove the Coordinator role from inactive coordinators, maybe another option would be to set a random strong password and/or force their account to reset their password?

I didn’t mean to come off like I didn’t agree with that. I’m just saying if we’re looking for clarification for a way to stay on top of things, tying it to when we update the list of (in)active core devs is an option.

So far, I didn’t see anyone was is opposed to my email, so I plan to send the following email next week. If someone doesn’t reply, I can try another ways to reach them (another email address, Twitter, whatever). If I really get no answer or if the coordinator asked to drop his role, I will send a list to @EWDurbin. Are you ok with this process? If you don’t reply, I consider that you agree. If you disagree, please speak up

Email:

Action needed: please confirm that you are still using bugs.python.org

Hi NAME,

tl; dr If you don’t reply to this email before 1 month, I will remove the Coordinator role from your bugs.python.org.

How are you?

I’m working on the security of the Python infrastructure. Currently, bugs.python.org doesn’t offer 2-factor authentication (2FA) yet, but only “basic” login/password authentication. Sadly, password breaches are becoming more and more common. For example, enter your email at https://haveibeenpwned.com/ to check if one of your password leaked somewhere.

For this reason, I would like to ensure that bug tracker users with the “Coordinator” role (highest privilege) still have access to their email address and maybe also changed their password in the last 5 years. Your account has the Coordinator role.

My question for you is simple: are you still working on the Python project / are you still using the bug tracker?

Even if don’t use actively your Coordinator role, that’s fine. I’m only concerned about core developers who didn’t show up in Python the last year.

If I don’t get a reply to this email, I will remove the Coordinator role from your account. If you missed this email or if you want to get this role back, don’t worry! I will add it back to your account as soon as you ask for it!

Victor

Oh, about the password: I noticed bugs.python.org switched PBKDF2, but I don’t know when.

Maybe I can also ask coordinators who don’t have their password hashed by PBKDF2 to change their password? At https://bugs.python.org/user2377 (my account), I can read for example:

2017-06-20 22:20:02 vstinner set password: {PBKDF2}*encrypted* -> {PBKDF2}*encrypted*

Contacting the people with admin privs sounds fine but I think that we should let the Director of Infrastructure handle this. That’s what he’s being paid to do And he’s already volunteered.

Hum, it seems like I misunderstood @EWDurbin message. I understood that he wanted me or someone else to send the email.

If @EWDurbin can or should do it, please go ahead! I only care about the security of bugs.python.org, I don’t care who send the email and/or remove the role.