On Wed, 2022-09-07 at 08:41 +0200, Vitaly Zaitsev via devel wrote: > On 06/09/2022 23:14, Jonathan Wright wrote: > > Fedora must be looked at as more than just a "hobby project" even though > > it is a hobby for some. > > There are many casual maintainers who maintain one or two packages. We > shouldn't force them to leave Fedora. > > > It's an OS that many rely on and $25 is a somewhat trivial cost for improved security. > > There are many contributors from countries where $25 is a lot. We > shouldn't set up financial barriers. This is a dead end. I think we kind of have two competing factors here, and it's not much use Camp A saying "FACTOR A IS IMPORTANT!" and Camp B saying "NO FACTOR B IS IMPORTANT!" and that just going round in circles. On the one hand, Fedora is not just a hobby project. It's an important upstream in the F/OSS ecosystem. Very important downstreams like CentOS, RHEL, Amazon Linux and others are built out of it. It's absolutely an attractive target for a supply chain attack. We have an ethical responsibility to the F/OSS community to harden ourselves against such attacks, and FIDO2 auth would be a good way to do that. On the other hand, you are correct that requiring people to either pay money or accept proprietary software at some level in order to contribute packages to Fedora would be a barrier to contribution, and barriers to contribution suck. We could maybe find a sponsor to send *existing* packagers a hardware token, but that still leaves the problem of what to do about *new* packagers - find a sponsor willing to mail a key to anyone who passes a package review? Well, maybe. What to do about country laws and export controls that have been brought up? That's another problem. So, we are in a dilemma without a perfect solution. We either have to decide which factor is more important, or find some way to compromise/finesse things, like requiring FIDO2 auth only for provenpackagers. Or only for commits to critpath packages. (And then what to do about Supplements:-style attacks?) The productive thing to do is discuss which factor is the most important, or what the best compromise would be. Not just have two sets of people keep repeating at each other that each factor exists. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
