http://print.google.com/print?id=SGAZdjNfruYC&lpg=PA131&pg=PA133&sig=WGHTNmAQLRV-fqi6LfIcAV-CQ9k

It’s basically just a computer. We don’t have any organization to what we do — no decisionmaking process, no policies. There are a small handful of people who have privs for adminning, so it’s just whatever they get around to. When I trawl the bugzilla every week or so for sitewranglers bugs, I look for ones I’m sure should be done. These are usually new accounts with all the information attached, and a comment from the project leader saying “yep, this is legit.”

When I see a request for a new project, I hesitate. I don’t know if it’s really an important project, if the desktop developers think it would be useful, or if the person applying for the new project has the perspective to work well in making an fd.o project. So I usually leave it.

When I see a request to change ssh/gpg, I get really sketched out. We’ve got no mechanism to authenticate this — gpg is the theory, but people lose gpg more than they lose ssh. So I’ll usually drop this on the floor, until I get some other authentication of it, such as a well known character on irc, or in this case a blog on p.g.o. Still not good authentication, but a reasonable indication that the change request is real I think.

Perhaps we should be associating phone numbers or something with users, so we could contact them. It would also be less worrisome if CVS was jailed somewhere so you could only access the repo through CVS, rather than hand-editing. Basically right now getting a user’s fd.o account = being able to silently trojan projects that the user’s a member of.

All of these possible changes are admin time, though, and I usually see admin time as subtracting directly from x.org time (perhaps not exactly true, but close). Sigh.