Re: Inactive packagers to be removed after the F37 release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> > However, last this was discussed, the Fedora AAA system(s)
> > did not (yet?) support the full  fido2/webauthn/passkey
> > functionality, so at this time such full integration is just a
> > dream(*).
>
> You don't have to be a provenpackager to be able to do serious damage;
> you just need to maintain one package that's installed by a
> sufficiently-interesting quantity of Fedora users. In the long run, we
> should be moving to require WebAuthn for all Fedora
> authentication-related purposes, since it's unphishable. Last year I
> entered my GitHub password into a phishing page that was proxying the
> real GitHub... if the evil page had gone to just slightly more effort,
> it could have easily intercepted a simple TOTP/HOTP challenge. This is
> not possible with WebAuthn, which I would say actually is pretty much
> equivalent to a security magic bullet.
>
> That said, I say this keenly aware that WebKitGTK doesn't support
> WebAuthn yet, and I would be interacting with Fedora packaging a lot
> less if I couldn't use my normal web browser. And anybody who isn't
> willing to buy a security key wouldn't be able to contribute to Fedora
> at all.

But webauthn and 2FA only stops someone else from compromising my
account, it would probably be easier to join and become a packager by
packaging a random leaf package no one would use, then as a packager
pick up an random orphaned package that's in the core distro and then
just compromise the distro that way TBH. 2FA won't stop that as they
can just setup an actual 2FA token for their packaging account.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux