Re: Stale proven packagers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Dec 26, 2020 at 6:14 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote:
>
> On Thu, Dec 24, 2020 at 07:32:04AM +0000, Dridi Boukelmoune wrote:
> > > The weakest point in the current system is really the FAS password. If
> > > you have a packager's FAS password you can change the ssh key
> > > associated with the account to another that you control, and the FAS
> > > password is also all you need to run a build and submit it to Bodhi.
>
> Well, really the weakest point is email. If you have control over a fas
> accounts email address you can reset the password, etc.
>
> > Or you add an SSH key without removing the maintainer's keys on the
> > off chance that it would go unnoticed...
>
> fas sends email on every such change.

There are situations where notifications could go unnoticed. At this
point if an attacker managed to compromise an email address and add an
SSH key to a fas account, the attacker might also delete the
notification email promptly.

Dridi
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux