On Fri, 2026-06-12 at 20:45 +0100, Dave Love wrote: > Vitaly Zaitsev via devel <[email protected]> writes: > > > FIDO2 is a proprietary black box. There are no software > > implementations due to mandatory certification by the FIDO Alliance. > > In addition to the others mentioned, if I was going to buy another > normal sort of hardware key, it would probably be a Nitrokey with free > firmware, made in Germany (if you care), and looks a bit cheaper than > Yubikeys.
I'm personally strongly in the +1 column for mandatory 2FA. Packagers (especially proven packagers) are an incredible target for supply chain attacks, they've got the power to push updates out to Fedora and CentOS/RHEL's userbase without review and an attack like that could get pretty far before being noticed. There's probably an important discussion to be had about how we'd detect and remediate the compromise of someone in that role. It has happened before and it will happen again, there are articles today about it happening to an Arch packager. Ideas on what we do about this whilst preserving piracy and agility (e.g. I don't think it would ever be practical to enforce PR reviews on every commit to dist-git) would be worth sharing. In the more immediate term, if there's interest then I'd be happy to look at what we can do to make TOTP on hardware keys easier to use. Documentation on the setup and perhaps some tweaks to fkinit could be useful, and I've got a variety of brands of hardware keys from $DAYJOB that I can test with. Obviously this would be a stop-gap until we're in the position to do proper FIDO, but I think it's better than nothing. -- Daniel Milnes
signature.asc
Description: This is a digitally signed message part
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
