On 9/15/22 13:55, Kevin Fenzi wrote: > On Thu, Sep 15, 2022 at 09:26:36AM +0300, Alexander Bokovoy wrote: >> >> Proven packagers seem to be a fair category to address. Also packagers >> responsible for security-related bits of the distribution. Compilers? > > Well, as others noted in this thread, any packager has a lot of power. > They can add a weak dep on something everyone has installed and pull > their package in. Of course they likely only get to do that once. > >> There is probably a value in defining what functions critical to have >> strongly authenticated and identified to the distribution at large. For >> example, right now even 2FA OTP requirement is not mandatory for certain >> package groups. > > As far as I know, it's not possible to enforce otp per group is it? > That would be a nice enhancement. > > Additionally, right now, packagers commit with ssh keys or oidc tokens, > in order for a 2fa setup to be effective, we would need to switch that > to kerberos or the like.
SSH keys are fine. -- Sincerely, Demi Marie Obenour (she/her/hers) _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
