Re: [Savannah-hackers-public] Remove resume feature to prevent abuse?

[John Sullivan]

Ineiev <address@hidden> writes:

> On Wed, Mar 06, 2019 at 02:08:54PM -0500, John Sullivan wrote:
>> 
>> The way I've seen other services deal with this is:
>> 
>> * Set a policy about what constitutes inactivity (for example, no log in
>>   for 3 years)
>> 
>> * Send an email to accounts on the wrong side of that line saying they
>>   will be deleted in N days unless they log in.
>> 
>> * Send a reminder email shortly before the deletion date to those who
>>   still meet the criterion
>> 
>> * Delete accounts on the date
>> 
>> * Send confirmation email that account was deleted
>> 
>> Is it worth the effort given current available maintainer resources? Not
>> sure. It's probably worth the effort to define the policy (accounts may
>> be deleted if inactive for N years, or whatever) and put that publicly
>> on the site. Gives more flexibility for quicker action later.
>
> I don't think we really want to remove old accounts inactive
> for any long period, they are few. what we want is removing new
> accounts that aren't used for some period, and the period should be
> weeks rather than years: most spam accounts were created within last
> 5 years, and the number of accounts per month increases: we had
> 5k accounts in 2016, 8k in 2017 and 18k in 2018.
>

Both make sense to me. Retaining old inactive data is a security risk --
magnifies the impact of any database breach. But the point about new
accounts makes sense too, and may be higher priority because of the
impact of spam on maintenance burden and service performance.

-john

-- 
John Sullivan | Executive Director, Free Software Foundation
GPG Key: A462 6CBA FF37 6039 D2D7 5544 97BA 9CE7 61A0 963B
https://status.fsf.org/johns | https://fsf.org/blogs/RSS

Do you use free software? Donate to join the FSF and support freedom at
<https://my.fsf.org/join>.