On Thu, Sep 15, 2022 at 04:34:08PM -0400, Demi Marie Obenour wrote: > On 9/15/22 13:55, Kevin Fenzi wrote: > > On Thu, Sep 15, 2022 at 09:26:36AM +0300, Alexander Bokovoy wrote: > >> > >> Proven packagers seem to be a fair category to address. Also packagers > >> responsible for security-related bits of the distribution. Compilers? > > > > Well, as others noted in this thread, any packager has a lot of power. > > They can add a weak dep on something everyone has installed and pull > > their package in. Of course they likely only get to do that once. > > > >> There is probably a value in defining what functions critical to have > >> strongly authenticated and identified to the distribution at large. For > >> example, right now even 2FA OTP requirement is not mandatory for certain > >> package groups. > > > > As far as I know, it's not possible to enforce otp per group is it? > > That would be a nice enhancement. > > > > Additionally, right now, packagers commit with ssh keys or oidc tokens, > > in order for a 2fa setup to be effective, we would need to switch that > > to kerberos or the like. > > SSH keys are fine.
Sure, but unless you are using ecdsa-sk or ed25519-sk keys, they aren't 2factor enabled. Your account could be using OTP, but if someone gets your ssh private key they can commit as you. kevin
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
