[Savannah-cvs] [405] Add account recovery guidelines.

[ineiev]

Revision: 405
          
http://svn.savannah.gnu.org/viewvc/?view=rev&root=administration&revision=405
Author:   ineiev
Date:     2020-05-19 14:21:47 -0400 (Tue, 19 May 2020)
Log Message:
-----------
Add account recovery guidelines.

Modified Paths:
--------------
    trunk/sviki/FrontPage.mdwn
    trunk/sviki/LostPassword.mdwn

Added Paths:
-----------
    trunk/sviki/LostAccounts.mdwn
    trunk/sviki/RecoveredAccounts.mdwn

Modified: trunk/sviki/FrontPage.mdwn
===================================================================
--- trunk/sviki/FrontPage.mdwn  2020-05-02 06:13:07 UTC (rev 404)
+++ trunk/sviki/FrontPage.mdwn  2020-05-19 18:21:47 UTC (rev 405)
@@ -18,6 +18,7 @@
         -   [[DoWeHaveYourPassword]]
         -   [[GettingHelp]]
         -   [[IdleAccounts]]
+        -   [[LostAccounts]]
     -   [[HomepageAvailabilityOfPhpAndMysql]]
     -   [[HomepageUpload]]
     -   [[LostPassword]]
@@ -63,6 +64,7 @@
         -   [[ImpersonatingSomebody]]
         -   [[ManuallyChangeE-mail]]
         -   [[RenamingAccounts]]
+        -   [[LostAccounts]]
 
     -   [[ListServer]]
         -   [[ImportMailingListArchive]]

Added: trunk/sviki/LostAccounts.mdwn
===================================================================
--- trunk/sviki/LostAccounts.mdwn                               (rev 0)
+++ trunk/sviki/LostAccounts.mdwn       2020-05-19 18:21:47 UTC (rev 405)
@@ -0,0 +1,87 @@
+Recovering lost accounts
+========================
+
+This page documents our procedure of recovering lost accounts.
+Savannah admins are expected to follow it, Savannah users may use
+it as guidelines for recovering their accounts and to better
+understand the threats related to their Savannah accounts.
+
+Unconfirmed accounts
+--------------------
+
+Sometimes you don't receive the confirmation email Savannah sends
+you when registering an account, so you can't confirm it.  Unconfirmed
+accounts are removed after 2 or 3 days, the account name is freed,
+and you can try again.  If the issue persists, you may [contact
+Savannah admins](https://savannah.gnu.org/contact.php).  Since
+the account isn't used yet, they can just activate your account
+manually: in the superuser mode, find that user in the [siteadmin
+user list](https://savannah/siteadmin/userlist.php), it has
+links that activate accounts.
+
+Idle accounts
+-------------
+
+As an anti-spam measure, the accounts that haven't been used for more
+than two weeks after their creation are also automatically removed.
+In order to avoid it, it's sufficient to submit an item or comment
+on any tracker (of course, if your first comments are spam,
+your account is going to be deleted---manually), or to actually
+join a group (mere requests for inclusion don't count).
+
+For more info, see [[IdleAccounts]].
+
+Lost password
+-------------
+
+If you don't remember your password, you (and anyone else) can
+[request password reset](https://savannah.gnu.org/account/lostpw.php).
+Savannah will send you an URL that can be visited to set a new password
+for your Savannah account.  In case you don't receive that
+message, you'll be able to try it again a few hours later.
+
+If you are concerned with other people initiating and intercepting
+these messages, you can register an encryption-capable GPG key AND
+enable encryption of reset messages in your account settings.  Note
+that Savannah still sends reset messages unencrypted if it can't
+encrypt with your GPG key, for example,
+if the key has no subkey for encryption or our GnuPG version doesn't
+support your key algorithm. (_On the other hand, if you lose your
+GPG key in these settings, you won't be able to reset the password
+for your account._)
+
+The messages are sent to the email address you registered.  Often
+people lose both their passwords and control of the email addresses
+they were registered with.  In this case, we'll use your registered
+SSH key, or you can confirm your identity using your
+registered GPG key---if you ever registered any SSH or GPG keys
+in your account.  (_Likewise, if you lose *all* keys you registered
+in your account, restoring your account will be *harder*._)
+
+* If you have a signature-capable GPG key, you can send a signed
+  message where you express your request.
+
+* If you have a SSH key, you can commit your request to a repository
+  of a group you are a member of; if you are not a member
+  of any group with a repository, Savannah admins can temporarily
+  make you a member of a test Savannah group so that you could commit.
+
+Heavily used accounts
+---------------------
+
+The more activity the account has, the stronger confirmation
+from the user is needed to re-gain it.  And vice versa, if
+the account was only used for a few comments in the tracker
+and has never joined any teams, the admins may give it after
+
+* Savannah admins can check the time of the last login to that account
+  (https://savannah.gnu.org/siteadmin/lastlogins.php, or on mgt0,
+   use MySQL query like 
+   SELECT from_unixtime(session.time) FROM session,user
+   WHERE session.user_id=user.user_id AND user.user_name="rms"
+
+Recording cases
+---------------
+
+All requests for account recovery should be recorded on the [account
+recovery log page][[RecoveredAccounts]].

Modified: trunk/sviki/LostPassword.mdwn
===================================================================
--- trunk/sviki/LostPassword.mdwn       2020-05-02 06:13:07 UTC (rev 404)
+++ trunk/sviki/LostPassword.mdwn       2020-05-19 18:21:47 UTC (rev 405)
@@ -3,3 +3,6 @@
 
 A confirmation hash will be emailed to the address we have on file for
 you. Load the URL in the email to reset your password.
+
+If this doesn't work for you, see [account recovery
+procedures][[LostAccounts]].

Added: trunk/sviki/RecoveredAccounts.mdwn
===================================================================
--- trunk/sviki/RecoveredAccounts.mdwn                          (rev 0)
+++ trunk/sviki/RecoveredAccounts.mdwn  2020-05-19 18:21:47 UTC (rev 405)
@@ -0,0 +1,5 @@
+Account recovery log
+====================
+
+This page lists requests to recover Savannah accounts, with relevant
+links and summaries, in reverse chronological order since May, 2020.