On Sun, 2024-03-31 at 07:42 -0400, Neal Gompa wrote: > On Sun, Mar 31, 2024 at 7:36 AM Arthur Bols <arthur@xxxxxxxx> wrote: > > > > On 31/03/2024 13:03, Kevin Kofler via devel wrote: > > > > This 2FA nonsense needs to stop! GitHub has enforced compulsory 2FA for > > contributors for a while, starting with "important" projects, then getting > > stricter and stricter. It has done absolutely nothing to stop this attack. > > How could it, when the backdoor was apparently introduced by the authorized > > maintainer? (Or if not, the attacker must have had access to their 2FA > > secret as well.) So, 2FA DOES NOT SOLVE THIS PROBLEM! STOP FORCING 2FA ON > > US! And especially DO NOT abuse this incident as an excuse to force 2FA down > > our throats, since 2FA DOES NOT SOLVE THIS PROBLEM. Sorry for being > > repetitive, but you were, too. THIS 2FA NONSENSE NEEDS TO STOP! > > > > > > 2FA for Fedora packagers doesn't solve this issue, but that wasn't Adam's point. What Adam is saying is that we're in danger of focusing too much on a specific issue while we should spent our time and energy on the general security aspect of Fedora. 2FA isn't nonsense, it strengthens security by a lot. A compromised (proven)packager account can do a lot of harm and can take a while to be noticed. If this would happen to us, Fedora's reputation would tank immediately. Mint is still regarded as a insecure distro (in my circles) for things that happened before I even entered the linux scene... > > > > Like it or not, this is 2024 and passwords are not as secure as they used to be. Yelling about it isn't going to solve anything. Meanwhile, enabling 2FA helps A LOT even if used incorrectly (e.g. storing it in the same keepassxc database). > > > > At this point, I'm used to MFA for stuff (and I use a password manager > that handles 2FA OTPs too), but the Fedora implementation of MFA is > uniquely bad because we have to do a lot in the terminal, and our MFA > implementation sucks for terminal usage. > > If MFA is turned on: > > 1. The Fedora account integration in GNOME breaks > 2. You need to concatenate password and OTP for getting a krb5 session ticket > 3. The recovery mechanism involves GPG signed emails > > The experience using 2FA for Fedora accounts is sufficiently > unpleasant that I really don't want to use it. Copying this comment here from the FESCo ticket at Kevin's request - please follow up here, not there: I think the points above and others made later about areas where the 2FA experience on Fedora are bad are absolutely correct and justified. I also think there is a solid argument that we should do this anyway. I think the vulnerability associated with having packager (and provenpackager? Do we require 2FA for provenpackager yet? I wasn't actually sure, when I wrote my list post) accounts without 2FA is sufficiently horrendous that we just cannot accept it. Yes, our implementation of 2FA is suboptimal and would frustrate people. Is that worse than the consequences of letting ourselves be compromised? Imagine how brutal the response would be if it came to light that Fedora had been compromised through exploitation of single-factor authentication. It would not be kind. It would be a huge and lasting stain on our reputation. People would say, justifiably so, that it was absolutely unacceptable for us to be allowing single-factor authentication for contributors to a general-purpose operating system in 2024. It is. We now have incontrovertible evidence that extremely sophisticated attackers are willing to mount extremely sophisticated attacks on the supply chain of which we are a significant component. We are busy Monday morning quarterbacking about extremely complex ways to try and counteract an attack of that sophistication. Meanwhile we are still leaving this huge vulnerability to much less sophisticated attacks, which has been known to be one for literal decades at this point, open. We know that much less sophisticated attackers exploit single-factor authentication for purposes as trivial as stealing cryptocurrency, and it happens frequently. I don't think we can pretend we can't connect the dots here. On a practical level, if we just made 2FA compulsory, it would provide people with a much stronger motivation to contribute and make the experience of it better. So long as we let people not use it, that motivation does not exist. I suspect if we just did it, we'd get a more sophisticated experience with Kerberos and recovery tokens and all the rest of it much faster than we will if we don't. -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw@xxxxxxxxxxxxx https://www.happyassassin.net -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
