retire karsten's accesses
Since Karsten passed away, it is with a deep sadness in our hearts that we should start revoking his accesses inside the organisation.
The process for this is documented in retire-a-user, although we should probably clarify what happens to his emails... Obviously, we haven't handled such a situation before (as far as I know), so we should be extra careful as to what we do with everything.
Those are the services that need to be checked:
- Big Blue Button: done, user has no access
- blog (blocked, removed him from the blogger and admin groups, but kept the account)
- bridges.tpo: no idea
- btcpayserver: @hiro? i have no access
- CiviCRM: no access
email: karsten was a member of the
tor-archive-group@aliases and was removed,
kanerremain on the former,
dcfremain on the latter, see also the
- GitLab: done, user is blocked
- Gitolite/git-rw: @ahf @hiro
- IRC: not using the irc bouncer, but part of the @tor-tpomember group and possibly more. @arma can you remove him from those irc groups?
- jenkins: N/A
- LDAP: any TPA admin can revoke karsten's accesses, not sure when to do this or what to do with his email address...
- mailing lists: karsten was moderator for metrics-alert@, metrics-bugs@, metrics-team@, we need to find a replacement for those
- nagios: removed his contact, need to find someone else to receive problem notifications for collector
- Nextcloud: done, account disabled
- survey (revoked his accesses, but kept the account in case removing it would break surveys)
- SVN: no access
- translation: done, no access
WKD: removed his key from our OpenPGP keyring (crossing fingers here: hopefully that won't have a negative impact - this can easily be canceled by reverting commit 3b7bc44 in the
Services covered by groups:
- check - TPA
- collector - @acute, @ahf, tpa will keep an eye as well through nagios
- consensus-health - geko
- exonerator - TPA?
- globe - retired
- metrics - @ahf
- onionoo - @ahf
- torarchive - @anarcat
- tordnsel - TPA?
- torextratpo - @hiro, previous blog and website linked there
- tormedia - @hiro, same
- torperf - remove the group
- torproject - need to check files owned by karsten, below
- torwww - still in use
Additional TODO items, maybe out of scope?
- globe is actually in use on staticiforme: /srv/globe-master.torproject.org is owned by the group. should those files be deleted?
- check for files owned by karsten across the infra
- check for crontabs owned by karsten everywhere (with actual lines! e.g. colchicifolium had an empty one)
- decide what to do with torextratpo (no change since 2018)? (we'll just keep it)
- iwakeh and nima are now only part of the "torproject" group, should their accesses be completely revoked?
users removed from groups need to be checked across the accessible servers, karsten's files need to be checked separately (above) everywhere:
- check.tpo: cleared files owned by arlo and phw, no other files found
- collector: cleared dot files, gave what seemed to be important files in /home/iwakeh to arlo
- exonerator: cleared mostly dot files from iwakeh
- metrics: iwakeh
- onionoo: iwakeh
- torarchive: boklm
- tordnsel: phw
- torextratpa: nima
- tormedia: nima
left over files on servers:
archive-01.torproject.org: only SSH key files
check-01.torproject.org: only SSH key files
chives.torproject.org(irc bouncer): files removed
colchicifolium.torproject.org: files given to @acute
corsicum.torproject.org: files given to @acute
henryi.torproject.org(consensus-health): is tom still around? can they keep maintaining the service? for now I've given them karsten's files.
materculae.torproject.org(exonerator): no owner, left files there, need to change the exonerator@ forward when new person joins
media-01.torproject.org: only SSH key files
meronense.torproject.org(metrics.tpo): no owner, left files there for now, should be given to new metrics person
onionoo-backend-01.torproject.org: files given to @ahf
perdulce.torproject.org(people.tpo): to be evaluated, given the files to ~gaba, https://people.torproject.org/~karsten link broken, unfortunately.
staticiforme.torproject.org, mostly dist-master: given to @ahf