Over the years we’ve granted many people commit access to various repos that are used by the project. As time goes by, some people have moved on to other pursuits and are no longer actively involved in the project. Additionally, we’ve created some teams so we can give access to various repos, some of which are also outdated.
The last time we did any sort of clean-up as far as my search-fu could find was 4 years ago.
While we try to enforce 2-factor authentication for committers, having many people with commit access also increases the potential attack surface in case any committer’s account gets compromised.
Therefor, I propose that we agree on a certain period of inactivity (say, 6 months?) after which direct commit access will be removed from users and they will be removed from any groups that grant commit access.
In the case any such contributor ever decide they want to return to the project, they will be granted the same level of access they had previously without having to go through the formal nomination process again.
Once we finish this cleanup, we would likely find many teams that have no users left. Then we can decide if the specific team should be dropped (e.g. a team that was used for managing a deprecated plugin), or if we have a gap and we need to find new people who can maintain certain parts of the project.
For some repos we may also see they have no committers left, and will need to take similar action - call for maintainers or consider deprecation.
What are other people thinking?