Re: Three steps we could take to make supply chain attacks a bit harder

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Apr 12, 2024 at 4:05 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote:

> So, if FESCo decided we wanted to enforce 2fa for provenpackagers or
> whatever, right now that would require some work on some scripting,
> which I guess would remove people without otp? But then there would
> still be a window when the user was added and before the script removed
> them. Or some way for sponsors to check otp status before sponsoring
> someone, but if thats manually it could be missed.
>
> I think in any case it might be good to find all the {proven}packager
> members without otp and perhaps email them a note about how to set
> things up, etc.

Finding the (proven)package
members without 2FA might be a
useful thing to know in order to
influence any decision or the
implementation time frame (is it
20% or 80% of (P)Ps?).

That said, I would rather see any
such follow up directed email
happen after a FESCo decision
about 2FA is made in order to
avoid possible multiple emails
(one sent soonish saying that
you *could* add 2FA, should you
want to, and another, should
the decision be made to require
2FA, to say that you will be
required to add 2FA after some
date; one email is better).

That does presume that FESCo
will make a decision in the near
term such that any email text
can be appropriately crafted.

While there will always be some
window/edge cases, I think we
should start with the presumption
that most (proven)packagers will
wish to do the right thing, and
will use 2FA if that is the stated
requirement.  After the fact
cleanup/removals as the community
now does for inactive packages
may not be ideal but is arguable
sufficient as a first step.
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux