Re: Stale proven packagers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Dec 24, 2020 at 11:35:03AM +0000, Peter Robinson wrote:
> On Thu, Dec 24, 2020 at 10:43 AM Leigh Scott <leigh123linux@xxxxxxxxx> wrote:
> >
> > > On Wed, Dec 23, 2020 at 12:49 PM Vitaly Zaitsev via devel
> > > <devel(a)lists.fedoraproject.org&gt; wrote:
> > >
> > >
> > > It does support it, but AFAIK does not require it.
> > >
> > > Arguably those with elevated access (provenpackagers(*))
> > > should be required to use a hardware token such
> > > as a FIDO2 authenticators with biometrics and/or
> > > PIN required (some phones with biometrics are
> > > are equivalent to external tokens) where passwords
> > > themselves can away.  That may be a bridge too
> > > far at this point, but I would like to see that as a goal
> > > to work towards (2021 should be the year passwords
> > > die according to Microsoft).
> >
> > Are fedora going to provide us with the FIDO2 authenticators with biometrics hardware?
> > My current FIDO U2F key just has a button to press.
> 
> There's apps too

Ad biometrics:
There currently exists no biometrics authentication option, which has
not already been broken, sometimes even before release. This only adds a
false sense of security. (Fingerprints can't be just reset/renewed too)

Apps are *never* equivalent to physical tokens, as phones do have a
direct network connection with exposed services or network submitted
code run on the device almost always.

Requiring a higher security level for some things is fine, as long as it
is not too tedious - otherwise people will write workarounds for it.
FIDO2 itself seems to be current thing, but the biometrics option
doesn't add anything useful.

Ad expiration of pp accounts:
Confirmation e.g. once a year by the same person is fine (with
appropriate reminder emails/notifications), but as soon as you add more
requirements from other persons it makes it more political.

All the best,
Astra

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux