On 2/21/22 22:17, Ian McInerney via devel wrote: > On Tue, Feb 22, 2022 at 2:15 AM Demi Marie Obenour <demiobenour@xxxxxxxxx> > wrote: > >> On 2/21/22 14:16, Vitaly Zaitsev via devel wrote: >>> On 21/02/2022 19:25, Demi Marie Obenour wrote: >>>> FIDO keys are significantly more secure than OTPs, and FAS should get >>>> support for them. OTPs are still phishable, whereas FIDO2 generally >>>> isn’t. >>> >>> OTP is absolutely free. FIDO2 requires the purchase of a special >>> hardware token. >> >> One must remember that anyone in the packagers group can (with a >> modicum of effort) get code execution on a huge number of machines, >> and is thus an incredibly attractive target for phishing attacks. >> Developing a roadmap to encourage, and eventually require, the use of >> hardware authenticators to submit packages is a reasonable precaution >> in this threat environment. A hardware authenticator could be a FIDO2 >> token, smart card, etc. >> > > While it may make sense from the security standpoint, we also need to > factor in the community/economic factor for Fedora contributors. Requiring > the use of a hardware key then means that contributors have to spend their > money to buy such a key, adding an additional hurdle for them to go > through. Having to get the hardware key may also be prohibitive for > contributors coming from developing countries, or who are > low-income/unemployed, where they may already have a computer to use, but > the added cost of a new hardware key could be a large burden. > > The only viable option I see for requiring the use of hardware keys would > be if RedHat (or another sponsor) provided them to packagers when needed. > This is probably prohibitive to do for the entire packager group, so > instead it would make more sense to focus on the group that would expose > the largest amount of the distribution - the proven packager group. This > set of packagers is a smaller group, and they would have shown a dedication > to the community/Fedora in the past to be approved by FESCO. It would > probably be easier to convince Redhat/the Fedora Council to sponsor > hardware keys for that core group than the community at large should the > decision to require them be made. > > -Ian Proven packagers are definitely a good place to start, along with maintainers of core packages such as glibc. Next should be the maintainers of any package that is a dependency (either at build-time or runtime) of any package that is either (1) included in any default install or (2) used in Fedora’s own infrastructure. That leaves the Supplements: hole still open, which needs to be dealt with some other way. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure