On Fri, 2026-06-12 at 20:45 +0100, Dave Love wrote:
> Vitaly Zaitsev via devel <[email protected]> writes:
> 
> > FIDO2 is a proprietary black box. There are no software
> > implementations due to mandatory certification by the FIDO Alliance.
> 
> In addition to the others mentioned, if I was going to buy another
> normal sort of hardware key, it would probably be a Nitrokey with free
> firmware, made in Germany (if you care), and looks a bit cheaper than
> Yubikeys.

I'm personally strongly in the +1 column for mandatory 2FA. Packagers 
(especially proven packagers)
are an incredible target for supply chain attacks, they've got the power to 
push updates out to
Fedora and CentOS/RHEL's userbase without review and an attack like that could 
get pretty far before
being noticed.

There's probably an important discussion to be had about how we'd detect and 
remediate the compromise
of someone in that role. It has happened before and it will happen again, there 
are articles today
about it happening to an Arch packager. Ideas on what we do about this whilst 
preserving piracy
and agility (e.g. I don't think it would ever be practical to enforce PR 
reviews on every commit to dist-git)
would be worth sharing.

In the more immediate term, if there's interest then I'd be happy to look at 
what we can do to
make TOTP on hardware keys easier to use. Documentation on the setup and 
perhaps some tweaks to fkinit
could be useful, and I've got a variety of brands of hardware keys from $DAYJOB 
that I can test with.
Obviously this would be a stop-gap until we're in the position to do proper 
FIDO, but I think it's better
than nothing.

-- 
Daniel Milnes

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to