Describe the memorialization procedure

[ambv]

---

📚 Documentation preview 📚: https://cpython-devguide--1516.org.readthedocs.build/

[sethmlarson]

Thank you for creating this Łukasz, I'm not sure if buildbots should have their own section here? Then I had two other comments, otherwise LGTM

[ambv]

Added Discord and Buildbot. Landing.

[ezio-melotti]

Thanks for taking care of this.

[ezio-melotti]

There might also be tokens created by the user for specific services (GH actions, bots, hooks). Maybe a paragraph should be added about checking for (and possibly remove/replace them) those too?

[ambv]

I agree in principle, but I don't know how to actually enforce it. For OAuth app tokens, it's impossible to remove a token only for a single person. We rather clean this via disconnecting the user's GitHub from their Discourse account and logging them out, etc.

For GitHub app tokens and private keys requested by a concrete user, I don't know how to vet this other than clicking through every GH app on every repository. What do we expect to do in this case? Invalidate every token? I expect that the user who created such a private key or token only used it to put it in the GH app's secrets and was not otherwise stored by them locally, but of course that might be wrong.

[ezio-melotti]

I just checked the secrets on a repo and there doesn't seem to be any indication of who generated/added the token, and indeed it shouldn't matter too much who does it.

Maybe this is an issue about documenting who manages these services (and is therefore in charge of managing the tokens), so that someone else can take over if needed. (Some of these are already documented in the devguide.)

[sethmlarson]

Yeah that was my worry too, that tokens don't tell you who generated them without consulting the audit log. Agreed on documenting who manages the services, I think that's sufficient along with tokens auto-expiring and refreshing.