Closed Bug 524153 Opened 12 years ago Closed 12 years ago

Deactivate dormant accounts for CVS, SVN, Hg


( Graveyard :: Server Operations, task)

Not set


(Not tracked)



(Reporter: gerv, Assigned: aravind)



(Whiteboard: 01/15/2010)


(3 obsolete files)

The dormant accounts policy has been agreed, and accounts which have been dormant for more than six months should be deactivated. The files containing the account names of the dormant accounts are attached.

Attached file Hg dormant accounts (obsolete) —
Attached file SVN dormant accounts (obsolete) —
Attached file CVS dormant accounts (obsolete) —
Please let me know if you need any more information from me.

Er, what? I know for a fact that the Hg list is completely wrong. Please hold off on completing this request.
Comment on attachment 408050 [details]
Hg dormant accounts


You sure about that?
Reassigning to Gerv to get this off IT's queue until issues have been resolved.
Assignee: server-ops → gerv
Attachment #408050 - Attachment is obsolete: true
Attachment #408051 - Attachment is obsolete: true
Attachment #408052 - Attachment is obsolete: true
FYI, I'm taking my issues to the newsgroup, as that's a more appropriate place.

Should this bug just be closed until such issues have been resolved, or do we just want to leave it open but assigned to Gerv until then?
(In reply to comment #8)
> FYI, I'm taking my issues to the newsgroup, as that's a more appropriate place.
The list of people you want to deactivate for SVN is not accurate, you have in your list people whose SVN access was removed last August at my request:

You also have people that I know have committed in the last months as well as the whole IT team
Pascal: thank you for that report; that seems to be a flaw in the list of "all accounts" sent to me by IT. I will take that up with them.

Can you please give examples of people you know have committed to SVN in the last six months?

Gerv has committed in June for the 3.5 release.

Other examples of people that committed recently:
I did not commit to CVS for some time, but I'd like to keep my account ( until we stop supporting Firefox 3.0. If any (important) bugs are found in 3.0 Polish localization, I'd like to be able to fix them. Other localizers on that list may have similar wishes. :)
mkmelin appears to have the following accounts:,CVS,Hg,Hg

He appears to be checking in using the "+mozilla" version. Now I know from an email perspective the two Hg accounts are the same, but I don't know if that's true from an Hg account perspective. Can anyone with knowledge of Hg clarify?

Pascal: my new trawl for SVN has fred.castles and bienvenu. 

I have committing but not Are those the same person? Perhaps he has two accounts and is only using one? Or his account has changed name, and he hasn't committed since?

I still have no record of committing to SVN between the end of April and now. Can you point me at the commit so I can see why I'm missing it?


Pascal: the checkins at the URL you give are all dated 2008 and 2007, which is outside the range I'm looking at (last 6 months). 

I'm not sure what we do with people changing their names. I guess we run the script twice a month apart, and only deactivate people who show up on both runs.

ah my bad, I thought it was 2009
Nothing for IT to do here until there's an accurate list.
Closed: 12 years ago
Resolution: --- → INCOMPLETE
We now have a list which I think is a great deal more accurate. The issues listed above have been addressed (including the fact that we preserve a set of nominated IT-owned accounts for SVN), and anyone who has got an LDAP account within the last month is excluded. If someone got a new level of access recently and still hasn't checked in anywhere, we can't detect that, so there's still a small possibility of false positives, but this is as good as it's going to get with the tools we have.

Please can IT deactivate all accounts listed in the dormant-* files in this directory?

We'll start with those inactive for 12 months or more. If that goes OK, we may reduce N to six months.

As soon as it's done, please comment here so I can publicise it, so if there is still the odd problem with the list, people affected know how to get their accounts reactivated quickly.

Resolution: INCOMPLETE → ---
Assignee: gerv → server-ops
Gerv - is this blocked on 524080 or not?
mrz: in what sort of timescale do you think you can implement a fix for bug 524080? If the answer is days, then yes, it would be good to get that first. If it will take weeks or months, then I say we should just go ahead with this, and use publicity to make people aware of what might have happened.

I just used my CVS account today. Could you please take me off the dormant CVS list? Thanks. :)
I've talked to Gerv about setting some time frame to get the back end LDAP and IT tools infrastructure configured to support this.  

Aravind articulated a number of these in bug 524080 and I'm making this dependent on that.

Working towards 01/15/2010 to wrap this up.
Assignee: server-ops → aravind
Component: Server Operations: Account Requests → Server Operations
Depends on: 524080
Whiteboard: 01/15/2010
Since we're already about 3 months past the generation of Gerv's most recent list of accounts to be disabled, I hope that new lists will be generated before disabling ;)

In the event that doesn't happen, I have been actively using my Hg account recently as well, so could you please take me off the dormant Hg list? Thanks. :)
Okay, made some progress here.  LDAP now has a timestamp for the last svn|hg activity on an account.  I now have a script in place that parses ldap activity every 15 minutes and updates the svn|hg accounts with this information.

The missing part is a script that looks through ldap and disabled accounts with last activity > 12 months.  I should have this part done sometime today as well.

Note that I haven't done anything with cvs accounts here.  That part is still manual and will have to be that way for some time.  If we want to automate that we have to spend some time and write a different set of script to work on the cvs server (it doesn't use ldap).

@Gerv: Can you go through and update the dormant-(svn|hg) files in your repo.  Also just an fyi for you, we are now also bringing up a git server (that authenticates off ldap) for folks in webdev.  We probably need a similar policy there.
(In reply to comment #25)
> We probably need a similar policy there.

Probably need one for as well.
@Gerv: I have the scripts ready to start locking out old accounts.  Is the list in your mercurial repo good?  If it is, I will go ahead and mark those accounts inactive.
OK, the list in the Mercurial repo is now good. Aravind: go for it! :-)

(Let's worry about git and bzr another day.)

I disabled svn and hg accounts in LDAP.  I also disabled cvs accounts in the shadow file and added a DISABLED string to ssh key.
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
Blocks: 556960
I am still using cvs.m.o -- really!

Brendan: bug 558206 filed.

Its been enough time since we closed the bug and I have now changed the scripts to disable accounts after being inactive for 6 months.
> after being inactive for 6 months.

This is way too sharp. I contribute constantly, but irregularly, since 12 years, and this makes contributing a pain. Not everybody works for Mozilla full-time.
Product: → Graveyard
You need to log in before you can comment on or make changes to this bug.