Skip to content

retire karsten's accesses

Since Karsten passed away, it is with a deep sadness in our hearts that we should start revoking his accesses inside the organisation.

The process for this is documented in retire-a-user, although we should probably clarify what happens to his emails... Obviously, we haven't handled such a situation before (as far as I know), so we should be extra careful as to what we do with everything.

Those are the services that need to be checked:

  • Big Blue Button: done, user has no access
  • blog (blocked, removed him from the blogger and admin groups, but kept the account)
  • bridges.tpo: no idea
  • btcpayserver: @hiro? i have no access
  • CiviCRM: no access
  • email: karsten was a member of the tor-weather@ and tor-archive-group@ aliases and was removed, arma and kaner remain on the former, boklm, anarcat, mikeperry, and dcf remain on the latter, see also the torarchive service above
  • GitLab: done, user is blocked
  • Gitolite/git-rw: @ahf @hiro
  • IRC: not using the irc bouncer, but part of the @tor-tpomember group and possibly more. @arma can you remove him from those irc groups?
  • jenkins: N/A
  • LDAP: any TPA admin can revoke karsten's accesses, not sure when to do this or what to do with his email address...
  • mailing lists: karsten was moderator for metrics-alert@, metrics-bugs@, metrics-team@, we need to find a replacement for those
  • nagios: removed his contact, need to find someone else to receive problem notifications for collector
  • Nextcloud: done, account disabled
  • RT
  • survey (revoked his accesses, but kept the account in case removing it would break surveys)
  • SVN: no access
  • translation: done, no access
  • WKD: removed his key from our OpenPGP keyring (crossing fingers here: hopefully that won't have a negative impact - this can easily be canceled by reverting commit 3b7bc44 in the account-keyring.git repo)

Services covered by groups:

  • check - TPA
  • collector - @acute, @ahf, tpa will keep an eye as well through nagios
  • consensus-health - geko
  • exonerator - TPA?
  • globe - retired
  • metrics - @ahf
  • onionoo - @ahf
  • torarchive - @anarcat
  • tordnsel - TPA?
  • torextratpo - @hiro, previous blog and website linked there
  • tormedia - @hiro, same
  • torperf - remove the group
  • torproject - need to check files owned by karsten, below
  • torwww - still in use

Additional TODO items, maybe out of scope?

  • globe is actually in use on staticiforme: /srv/globe-master.torproject.org is owned by the group. should those files be deleted?
  • check for files owned by karsten across the infra
  • check for crontabs owned by karsten everywhere (with actual lines! e.g. colchicifolium had an empty one)
  • decide what to do with torextratpo (no change since 2018)? (we'll just keep it)
  • iwakeh and nima are now only part of the "torproject" group, should their accesses be completely revoked?

users removed from groups need to be checked across the accessible servers, karsten's files need to be checked separately (above) everywhere:

  • check.tpo: cleared files owned by arlo and phw, no other files found
  • collector: cleared dot files, gave what seemed to be important files in /home/iwakeh to arlo
  • exonerator: cleared mostly dot files from iwakeh
  • metrics: iwakeh
  • onionoo: iwakeh
  • torarchive: boklm
  • tordnsel: phw
  • torextratpa: nima
  • tormedia: nima

left over files on servers:

  • archive-01.torproject.org: only SSH key files
  • check-01.torproject.org: only SSH key files
  • chives.torproject.org (irc bouncer): files removed
  • colchicifolium.torproject.org: files given to @acute
  • corsicum.torproject.org: files given to @acute
  • henryi.torproject.org (consensus-health): is tom still around? can they keep maintaining the service? for now I've given them karsten's files.
  • materculae.torproject.org (exonerator): no owner, left files there, need to change the exonerator@ forward when new person joins
  • media-01.torproject.org: only SSH key files
  • meronense.torproject.org (metrics.tpo): no owner, left files there for now, should be given to new metrics person
  • metrics-store-01.torproject.org: same
  • onionoo-backend-01.torproject.org: files given to @ahf
  • onionoo-backend-02.torproject.org: same
  • perdulce.torproject.org (people.tpo): to be evaluated, given the files to ~gaba, https://people.torproject.org/~karsten link broken, unfortunately.
  • scw-arm-par-01.torproject.org: N/A
  • shadow-01.torproject.org: N/A
  • staticiforme.torproject.org, mostly dist-master: given to @ahf
Edited by Gaba