V Wed, Sep 07, 2022 at 07:51:15AM -0400, Stephen Smoogen napsal(a): > On Wed, 7 Sept 2022 at 02:53, Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> > wrote: > > > On Wed, 2022-09-07 at 08:41 +0200, Vitaly Zaitsev via devel wrote: > > > On 06/09/2022 23:14, Jonathan Wright wrote: > > > > Fedora must be looked at as more than just a "hobby project" even > > though > > > > it is a hobby for some. > > > > > > There are many casual maintainers who maintain one or two packages. We > > > shouldn't force them to leave Fedora. > > > > > > > It's an OS that many rely on and $25 is a somewhat trivial cost for > > improved security. > > > > > > There are many contributors from countries where $25 is a lot. We > > > shouldn't set up financial barriers. This is a dead end. > > > > I think we kind of have two competing factors here, and it's not much > > use Camp A saying "FACTOR A IS IMPORTANT!" and Camp B saying "NO FACTOR > > B IS IMPORTANT!" and that just going round in circles. > > > > On the one hand, Fedora is not just a hobby project. It's an important > > upstream in the F/OSS ecosystem. Very important downstreams like > > CentOS, RHEL, Amazon Linux and others are built out of it. It's > > absolutely an attractive target for a supply chain attack. We have an > > ethical responsibility to the F/OSS community to harden ourselves > > against such attacks, and FIDO2 auth would be a good way to do that. > > > > > So I think all this focusing on FIDO2 as a requirement is the problem. We > are looking at least 2-3 years before Fedora Infrastructure could actually > support it at scale. This is not just technical support, but needing > people to actually handle the problems. We have a hard enough handling OTP > tokens that people put in and then immediately lose so can't log in or > change their accounts. Dealing with 100 developers who only put one token > on their system and then promptly lose it after going for a jog etc is > going to be a nightmare. [I had to support scientists with one time tokens > before, and it is a constant 'I lost my token and I need to be verified > that I am who I am. Can I get a new token?' etc.] > > So I am going to say I am in agreement with Vitaly that FIDO2 is not a > solution we could support at this time. At most we could support HOTP via > yubikey but we would need to be able to make sure > 1. That we have some sort of '5 codes which can be used in case of > emergency'. These are printed on a screen and that is it. > 2. We make sure that people have 2 additional devices attached before OTP > is 'enabled'. > > Otherwise this is going to end in tears even before we tried to get 'FIDO2' > set up. > Do people lose their tokens more often than forget their passwords? How do we deal with a forgotten password now <https://accounts.fedoraproject.org/forgot-password/ask>? Do we have to strenghten an authenticiation reset with the advent of tokens? I'm asking because to me it seems that the problem as you painted it is not about having a token but about resetting authentication credentials. Shouldn't we instead start with strengthening the credentials reset even for password-only authentication? I.e. disallowing the reset. Or enabling having multiple passwords. -- Petr
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
