RFC: Trusted Contributor Activity Requirements

Summary

Change the relevant TC documentation to set an auto-disable time for accounts/repo permissions of inactive or resigned TC's so that there's no possibility of hostile takeover and/or damage from leaked/reused credentials.

Date Proposed

2024-08-16

Benefits

Security improvement.

Drawbacks

• Technically this could limit incentive to help out in the first place, but I don't think that matters since we don't want people to just sign up for the free email address.
• Could limit voting power (but that doesn't really matter either, see #13 (closed))

Tasks

• Edit relevant documents in governance
• Draft text:

If a trusted contributor has not shown any sign of life (defined below) in a given two month period, then the other TC's (or, the BDFL via their absolute powers), shall vote on considering the given TC to be MIA.

If the vote passes, their password will be reset, 2fa will be reset, and existing sessions of their account (where possible) will be terminated for security reasons. If this process occurs, the TC is considered MIA for the next two months, before all account data and access will be permanently removed, if no signs of life occur.

Sign of life : Messages in discord (either DM to other TC's, or activity in the Crystal Linux channel), messages in the forum, or other platforms to members of the community and/or other TC's. Additional signs of life could include GitLab activity (but ONLY if the activity relates to the project).

Alternatives

• Not doing it, I guess?