Should there be an announcement or at least a ping of other group
managers just to make sure there are no objections? While unlikely,
I'm a little concerned that a rogue group manager could cause some
harm on their way out the door, for example.
That makes sense.


--
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
infrastructure mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedo

If groups are referenced by name only and data can be found later it should be ok.
(Some systems have used group IDs that can be unique, but I am not aware of any at the moment, the same ID can be impossible to create. In that case group should just be hidden from general users.)

Jan

________________________________
From: Kevin Fenzi <***@scrye.com>
Sent: Monday, April 19, 2021 9:29 PM
To: ***@lists.fedoraproject.org <***@lists.fedoraproject.org>
Subject: account system group deletions

Greetings.

I thought I would bring up for dicussion here something thats come up
after the new account system has been put in place.

Namely, how do we handle group deletions.
In the FAS2 world, we never deleted anything. I think this was partly
due to an over abundence of caution (there could be files owned by the
group left over on various machines) and partly just because it was
easier.

We now have 5 requests to remove various no longer used groups.

I've enabled audit logging on our ipa01 instance, so we have audit logs
(and I intend to back them up and keep them forever). So we can tell
when a group was deleted by whom. We also have a db dump from fas2
before the switchover where we can look at who was in what group or what
created it.

So, I would like to propose:

* we will remove groups on request/ticket from a group manager.
* we will not seek out groups to remove, as them being there doesn't
really hurt anything.

Thoughts?

If there's no objections soon I will go ahead and process those
requests.

kevin

+1 for me on groups.

This does raise the question about user accounts no?
We could have a group that is created with the same name as a group that was
deleted, and suddenly our auditing trail needs to take into account a time
component as group X at time A may be different than group X at time B.

I've the feeling that user accounts are a tad more sensitive and thus we may
want to keep our current policies, I'm raising the question here nonetheless :)


Pierre
_______________________________________________
infrastructure mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastruc