On Wed, May 27, 2026 at 12:15:44PM -0700, Adam Williamson wrote: > On Wed, 2026-05-27 at 10:49 -0700, Adam Williamson wrote: > > Hi, Nathan. I'm CCing devel@ and test@ so folks are aware this has been > > going on. > > Update on this: Nathan got back to me and says his credentials were > compromised and he was not the one behind this AI system.
If we take them at their word, that this was indeed a case of password compromise leading to account takeover, then this is rather an embarrasing situation for Fedora IMHO. IIRC, we last talked about mandating 2FA for all contributors after the xz attack 2 years ago: https://lists.fedoraproject.org/archives/list/[email protected]/thread/YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV/#YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV and AFAIR the only outcome of that was a weak docs statement that Provenpackager "should" have 2FA enabled https://pagure.io/fesco/issue/3186 https://forge.fedoraproject.org/fesco/docs/pulls/90 How many of our PP have got 2FA enabled today ? When will we get around to mandating 2FA for all contribtors ? Will we ever augment OTP support with FIDO2/U2F to enable use of hardware tokens ? GitHub has required 2FA since 2023 GitLab has required 2FA this year PyPI has required 2FA since 2024 IMHO it is not a good look that Fedora continues to allow passwords alone, given we know we are a high value target, and the consequences can be potentially far reaching. 2FA isn't a magic solution to all threats, but continuing to allow passwords alone makes compromising account credentials too easy. With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :| -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
