On Wed, May 27, 2026 at 12:15:44PM -0700, Adam Williamson wrote:
> On Wed, 2026-05-27 at 10:49 -0700, Adam Williamson wrote:
> > Hi, Nathan. I'm CCing devel@ and test@ so folks are aware this has been
> > going on.
> 
> Update on this: Nathan got back to me and says his credentials were
> compromised and he was not the one behind this AI system.

If we take them at their word, that this was indeed a case of
password compromise leading to account takeover, then this is
rather an embarrasing situation for Fedora IMHO.

IIRC, we last talked about mandating 2FA for all contributors
after the xz attack 2 years ago:

  
https://lists.fedoraproject.org/archives/list/[email protected]/thread/YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV/#YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV

and AFAIR the only outcome of that was a weak docs statement that
Provenpackager "should" have 2FA enabled

  https://pagure.io/fesco/issue/3186
  https://forge.fedoraproject.org/fesco/docs/pulls/90

How many of our PP have got 2FA enabled today ?

When will we get around to mandating 2FA for all contribtors ? 

Will we ever augment OTP support with FIDO2/U2F to enable use
of hardware tokens ? 

GitHub has required 2FA since 2023
GitLab has required 2FA this year
PyPI has required 2FA since 2024

IMHO it is not a good look that Fedora continues to allow passwords
alone, given we know we are a high value target, and the consequences
can be potentially far reaching. 2FA isn't a magic solution to all
threats, but continuing to allow passwords alone makes compromising
account credentials too easy.

With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to