Just to revive this thread, there's a proposed policy discussed at
https://pagure.io/fesco/issue/2759
and codified in https://pagure.io/fesco/fesco-docs/pull-request/61
If all interested parties could take a look and comment back here with
any changes or concerns, FESCo can move it forward.
On Sat, Feb 19, 2022 at 02:18:38PM +0100, Björn Persson wrote:
> Possible step 3: A program on a Fedora Project server notes that
> example.net has been deactivated. The program removes the address
> j@example.net from J. Doe's account, or disables sending to the
> nonexistent address.
...
>
Vitaly Zaitsev via devel wrote:
> We're talking about potentially hacked accounts, right?
In this subthread I'm talking about *preventing* account takeovers so
that they don't happen in the first place. One specific method of
takeover that the Fedora Project would be able to prevent.
I thought
On Thu, 2022-02-17 at 19:22 +0100, Zbigniew Jędrzejewski-Szmek wrote:
> On Wed, Feb 16, 2022 at 12:51:13PM -0500, Stephen Snow wrote:
> > On Wed, 2022-02-16 at 09:13 -0800, Adam Williamson wrote:
> > > On Wed, 2022-02-16 at 11:21 -0500, Stephen Snow wrote:
> > > > Hello,
> > > > I don't mean to
On Wed, Feb 16, 2022 at 12:51:13PM -0500, Stephen Snow wrote:
> On Wed, 2022-02-16 at 09:13 -0800, Adam Williamson wrote:
> > On Wed, 2022-02-16 at 11:21 -0500, Stephen Snow wrote:
> > > Hello,
> > > I don't mean to jump in the midle here, and I am just tossing out
> > > an
> > > idea for
On Wed, 2022-02-16 at 19:49 +, Mattia Verga via devel wrote:
> Il 14/02/22 20:19, Adam Williamson ha scritto:
> > On Mon, 2022-02-14 at 17:48 +, Mattia Verga via devel wrote:
> > > As I reported in the Fesco ticket, I've published the script to check
> > > packagers activity at
Il 14/02/22 20:19, Adam Williamson ha scritto:
> On Mon, 2022-02-14 at 17:48 +, Mattia Verga via devel wrote:
>> As I reported in the Fesco ticket, I've published the script to check
>> packagers activity at https://pagure.io/find-inactive-packagers
>>
>> The latest run showed 274 totally
On Wed, 2022-02-16 at 09:13 -0800, Adam Williamson wrote:
> On Wed, 2022-02-16 at 11:21 -0500, Stephen Snow wrote:
> > Hello,
> > I don't mean to jump in the midle here, and I am just tossing out
> > an
> > idea for consideration that doesn't address security issues pointed
> > out
> > really, but
On Wed, 2022-02-16 at 17:38 +0100, Emmanuel Seyman wrote:
> * Stephen Snow [16/02/2022 11:21] :
> >
> > Perhaps the automation should
> > do
> > just that, demote primary packager (from owner to co-maintainer) if
> > inactive for over a year and promote the
On Wed, 2022-02-16 at 11:21 -0500, Stephen Snow wrote:
> Hello,
> I don't mean to jump in the midle here, and I am just tossing out an
> idea for consideration that doesn't address security issues pointed out
> really, but does discuss the non-responsive main maintainer.
> I note there is a
* Stephen Snow [16/02/2022 11:21] :
>
> Perhaps the automation should do
> just that, demote primary packager (from owner to co-maintainer) if
> inactive for over a year and promote the main supporter for the year to
> be the owner from co-maintainer.
Can you
Hello,
I don't mean to jump in the midle here, and I am just tossing out an
idea for consideration that doesn't address security issues pointed out
really, but does discuss the non-responsive main maintainer.
I note there is a difficulty in defining the criteria for determining
when an
On 16/02/2022 11:32, Björn Persson wrote:
Loss of an email address does not imply loss of a FAS passphrase, so in
most cases they would just log in as usual.
We're talking about potentially hacked accounts, right? If the hacker
has the password, they can easily restore this account. That's
Vitaly Zaitsev via devel wrote:
> On 15/02/2022 19:43, Björn Persson wrote:
> > The packager would then be required to authenticate with their existing
> > credentials – or prove their identity in some way that does not rely on
> > ownership of the email address – and set a new email address in
On 15/02/2022 19:43, Björn Persson wrote:
The packager would then be required to authenticate with their existing
credentials – or prove their identity in some way that does not rely on
ownership of the email address – and set a new email address in their
account.
How? I know only one suitable
Mattia Verga via devel wrote:
> I also imagine the case where a user no more use their email address and
> that become available to someone else. The new user may easily reset the
> password and gain access to the old Fedora account (provided that the
> old user didn't use 2fa).
Here's an article
On Mon, 2022-02-14 at 17:48 +, Mattia Verga via devel wrote:
> As I reported in the Fesco ticket, I've published the script to check
> packagers activity at https://pagure.io/find-inactive-packagers
>
> The latest run showed 274 totally inactive packagers [1]. However, I've
> just realized
As I reported in the Fesco ticket, I've published the script to check
packagers activity at https://pagure.io/find-inactive-packagers
The latest run showed 274 totally inactive packagers [1]. However, I've
just realized that the activity check made by datagrepper is wrong: the
current query
On Sat, Feb 12, 2022 at 10:29:54AM +, Mattia Verga via devel wrote:
> Il 11/02/22 20:24, Kevin Fenzi ha scritto:
> > On Fri, Feb 11, 2022 at 11:33:13AM +, Mattia Verga via devel wrote:
> >> Il 11/02/22 12:20, Florian Weimer ha scritto:
> >>> * Mattia Verga via devel:
> >>>
> Il
On Fri, Feb 11, 2022 at 11:24:24AM -0800, Kevin Fenzi wrote:
> On Fri, Feb 11, 2022 at 11:33:13AM +, Mattia Verga via devel wrote:
> > Il 11/02/22 12:20, Florian Weimer ha scritto:
> > > * Mattia Verga via devel:
> > >
> > >> Il 11/02/22 10:41, Miro Hrončok ha scritto:
> > >>> On 11. 02. 22
On Sat, 2022-02-12 at 14:52 +0100, Zbigniew Jędrzejewski-Szmek wrote:
> On Sat, Feb 12, 2022 at 12:50:58PM +0100, Vitaly Zaitsev via devel wrote:
> > > Thus, if you are able to create a build that
> > > is submitted as an update (i.e. either build it for rawhide, or build it
> > > for other
On Sat, Feb 12, 2022 at 12:50:58PM +0100, Vitaly Zaitsev via devel wrote:
> > Thus, if you are able to create a build that
> > is submitted as an update (i.e. either build it for rawhide, or build it
> > for other releases and create a bodhi update), this is enough to wreak
> > havoc at
> > least
Il 12/02/22 12:20, Vitaly Zaitsev via devel ha scritto:
> On 12/02/2022 12:16, Fabio Valentini wrote:
>> That's not true. You need to log in to src.fedoraproject.org at least
>> *once* to get group memberships synced over (including "packager").
> True. But only once.
True, but even if the user
On 12/02/2022 12:32, Zbigniew Jędrzejewski-Szmek wrote:
All packages are "equal":
any package can ship any file, and in fact any package can execute scripts
*as root* during installation.
True.
Thus, if you are able to create a build that
is submitted as an update (i.e. either build it for
On Sat, Feb 12, 2022 at 12:00:11PM +0100, Vitaly Zaitsev via devel wrote:
> On 11/02/2022 07:54, Zbigniew Jędrzejewski-Szmek wrote:
> > With 1500+ unused accounts it is just*too easy*
> > for someone to find a way to access one of the accounts in an unauthorized
> > way.
>
> What they can do with
On 12/02/2022 12:16, Fabio Valentini wrote:
That's not true. You need to log in to src.fedoraproject.org at least
*once* to get group memberships synced over (including "packager").
True. But only once.
--
Sincerely,
Vitaly Zaitsev (vit...@easycoding.org)
On Sat, Feb 12, 2022 at 11:46 AM Vitaly Zaitsev via devel
wrote:
>
> On 09/02/2022 08:03, Mattia Verga via devel wrote:
> > Just being paranoid here: do we have any policy / automatism for
> > disabling "power" users (in packager group or like) which have been
> > inactive for long time?
>
> Some
On 11/02/2022 10:41, Miro Hrončok wrote:
They might have never even logged into src.fedoraproject.org
You don't need to be logged into src.fedoraproject.org or
account.fedoraproject.org to maintain packages. You can simply make
commits and send them to Bodhi using CLI tools.
--
Sincerely,
On 11/02/2022 07:54, Zbigniew Jędrzejewski-Szmek wrote:
With 1500+ unused accounts it is just*too easy*
for someone to find a way to access one of the accounts in an unauthorized
way.
What they can do with this? Pushing a new update for the foo-bar
package? We have Bodhi against this.
In
On 09/02/2022 18:04, Mattia Verga via devel wrote:
For example, if someone pulls from src.fedoraproject.org a list of users
in the packagers group which have been inactive for a long time, check
if their email is inactive and if it has been made available for
claiming, then they claim the email
On 09/02/2022 08:03, Mattia Verga via devel wrote:
Just being paranoid here: do we have any policy / automatism for
disabling "power" users (in packager group or like) which have been
inactive for long time?
Some maintainers don't have recent commits or Koji builds because other
Fedora
Il 11/02/22 20:24, Kevin Fenzi ha scritto:
> On Fri, Feb 11, 2022 at 11:33:13AM +, Mattia Verga via devel wrote:
>> Il 11/02/22 12:20, Florian Weimer ha scritto:
>>> * Mattia Verga via devel:
>>>
Il 11/02/22 10:41, Miro Hrončok ha scritto:
> On 11. 02. 22 10:12, Mattia Verga via devel
On Fri, Feb 11, 2022 at 07:12:04AM -0600, Richard Shaw wrote:
> Not quoting anyone in particular but I thought I saw it referenced in this
> thread (and definitely the previous thread from last year).
>
> What's wrong with having someone "sign" the CLA every year? At work a
> non-disclosure is
On Fri, Feb 11, 2022 at 11:33:13AM +, Mattia Verga via devel wrote:
> Il 11/02/22 12:20, Florian Weimer ha scritto:
> > * Mattia Verga via devel:
> >
> >> Il 11/02/22 10:41, Miro Hrončok ha scritto:
> >>> On 11. 02. 22 10:12, Mattia Verga via devel wrote:
> Where are those 2543 packagers
Not quoting anyone in particular but I thought I saw it referenced in this
thread (and definitely the previous thread from last year).
What's wrong with having someone "sign" the CLA every year? At work a
non-disclosure is only good for two years. Is a CLA a lifetime agreement?
Thanks,
Richard
Dne 11. 02. 22 v 11:38 Björn Persson napsal(a):
Gary Buhrmaster wrote:
A quick (and likely
bad and incomplete) bugzilla search shows
over 1000 tickets where there are upstream
updates that are still in NEW status in
bugzilla and had been (initially) opened
over a year ago. I think that
Il 11/02/22 13:11, Zbigniew Jędrzejewski-Szmek ha scritto:
> On Fri, Feb 11, 2022 at 11:42:19AM +, Mattia Verga via devel wrote:
>> I've written down a script [1] to fetch users which belong to packager
>> group and show no activity in datagrepper in a year.
>>
>> It found 104 users [2].
>>
>>
On Fri, Feb 11, 2022 at 11:42:19AM +, Mattia Verga via devel wrote:
> I've written down a script [1] to fetch users which belong to packager
> group and show no activity in datagrepper in a year.
>
> It found 104 users [2].
>
> [1]
>
On Fri, Feb 11, 2022 at 10:43 AM Ian McInerney via devel
wrote:
>
> On Fri, Feb 11, 2022 at 10:39 AM Björn Persson wrote:
>>
>> Yes, that's a bad search. Till Maas told me eight years ago that the
>> release monitoring tickets are supposed to remain open when the
>> packages are upgraded. Thus
I've written down a script [1] to fetch users which belong to packager
group and show no activity in datagrepper in a year.
It found 104 users [2].
[1]
https://mattia.fedorapeople.org/inactive-packagers/find_inactive_packagers.py
[2]
Il 11/02/22 12:20, Florian Weimer ha scritto:
> * Mattia Verga via devel:
>
>> Il 11/02/22 10:41, Miro Hrončok ha scritto:
>>> On 11. 02. 22 10:12, Mattia Verga via devel wrote:
Where are those 2543 packagers come from? src.fedoraproject.org only
shows 1787 users in the packager group:
* Mattia Verga via devel:
> Il 11/02/22 10:41, Miro Hrončok ha scritto:
>> On 11. 02. 22 10:12, Mattia Verga via devel wrote:
>>> Where are those 2543 packagers come from? src.fedoraproject.org only
>>> shows 1787 users in the packager group:
>>>
>>>
On Fri, Feb 11, 2022 at 10:39 AM Björn Persson wrote:
> Gary Buhrmaster wrote:
> > A quick (and likely
> > bad and incomplete) bugzilla search shows
> > over 1000 tickets where there are upstream
> > updates that are still in NEW status in
> > bugzilla and had been (initially) opened
> > over a
Ben Cotton wrote:
> I would support removing the 113 who don't exist in Koji.
If they have been that way for a long time, I suppose. Don't cause
additional hurdles for newcomers just because their first review takes
a while.
Björn Persson
pgp11SGC3hJR2.pgp
Description: OpenPGP digital signatur
Gary Buhrmaster wrote:
> A quick (and likely
> bad and incomplete) bugzilla search shows
> over 1000 tickets where there are upstream
> updates that are still in NEW status in
> bugzilla and had been (initially) opened
> over a year ago. I think that represents
> around 350 unique people. Those
Il 11/02/22 10:41, Miro Hrončok ha scritto:
> On 11. 02. 22 10:12, Mattia Verga via devel wrote:
>> Il 10/02/22 22:57, Ben Cotton ha scritto:
>>> On Thu, Feb 10, 2022 at 1:39 PM Zbigniew Jędrzejewski-Szmek
>>> wrote:
since you have the script handy, could you check how many (non-pp)
On 11. 02. 22 10:12, Mattia Verga via devel wrote:
Il 10/02/22 22:57, Ben Cotton ha scritto:
On Thu, Feb 10, 2022 at 1:39 PM Zbigniew Jędrzejewski-Szmek
wrote:
since you have the script handy, could you check how many (non-pp)
packagers would be reported as inactive pretty please? Maybe with
Il 10/02/22 22:57, Ben Cotton ha scritto:
> On Thu, Feb 10, 2022 at 1:39 PM Zbigniew Jędrzejewski-Szmek
> wrote:
>> since you have the script handy, could you check how many (non-pp)
>> packagers would be reported as inactive pretty please? Maybe with the
>> inactivility threshold raised to 1
Mattia Verga via devel writes:
> Il 11/02/22 07:54, Zbigniew Jędrzejewski-Szmek ha scritto:
>> On Thu, Feb 10, 2022 at 11:05:03PM +, Gary Buhrmaster wrote:
>>> On Thu, Feb 10, 2022 at 9:58 PM Ben Cotton wrote:
>>>
I have concerns with this approach. I would guess there's a long tail
Il 11/02/22 07:54, Zbigniew Jędrzejewski-Szmek ha scritto:
> On Thu, Feb 10, 2022 at 11:05:03PM +, Gary Buhrmaster wrote:
>> On Thu, Feb 10, 2022 at 9:58 PM Ben Cotton wrote:
>>
>>> I have concerns with this approach. I would guess there's a long tail
>>> of packagers that maintain relatively
On Thu, Feb 10, 2022 at 11:05:03PM +, Gary Buhrmaster wrote:
> On Thu, Feb 10, 2022 at 9:58 PM Ben Cotton wrote:
>
> > I have concerns with this approach. I would guess there's a long tail
> > of packagers that maintain relatively few packages. These packages
> > might not have frequent
On Thu, Feb 10, 2022 at 9:58 PM Ben Cotton wrote:
> I have concerns with this approach. I would guess there's a long tail
> of packagers that maintain relatively few packages. These packages
> might not have frequent upstream releases or require new manual
> builds.
There are a lot of packages
On Thu, 2022-02-10 at 16:57 -0500, Ben Cotton wrote:
> On Thu, Feb 10, 2022 at 1:39 PM Zbigniew Jędrzejewski-Szmek
> wrote:
> >
> > since you have the script handy, could you check how many (non-pp)
> > packagers would be reported as inactive pretty please? Maybe with the
> > inactivility
On Thu, Feb 10, 2022 at 1:39 PM Zbigniew Jędrzejewski-Szmek
wrote:
>
> since you have the script handy, could you check how many (non-pp)
> packagers would be reported as inactive pretty please? Maybe with the
> inactivility threshold raised to 1 year instead of 0.5 y.
I had to run it a second
On Thu, Feb 10, 2022 at 03:01:25AM +, Gary Buhrmaster wrote:
> On Wed, Feb 9, 2022 at 5:05 PM Mattia Verga via devel
> wrote:
>
> > That is referring to provenpackagers only. I'd like this to be extended
> > to users in packagers group also.
Ben,
since you have the script handy, could you
On Wed, Feb 9, 2022 at 5:05 PM Mattia Verga via devel
wrote:
> That is referring to provenpackagers only. I'd like this to be extended
> to users in packagers group also.
FWIW, the last time this came up, there was
a vague idea to require a yearly resigning
of the CLA (or something equivalent,
On Wed, Feb 9, 2022 at 5:05 PM Mattia Verga via devel
wrote:
> That is referring to provenpackagers only. I'd like this to be extended
> to users in packagers group also.
Given that provenpackagers are group
that can do the most potential damage,
that process arguably covers the users
in the
Il 09/02/22 08:54, Adam Williamson ha scritto:
> On Wed, 2022-02-09 at 07:03 +, Mattia Verga via devel wrote:
>> Just being paranoid here: do we have any policy / automatism for
>> disabling "power" users (in packager group or like) which have been
>> inactive for long time?
> Yes.
>
>
On Wed, Feb 9, 2022 at 7:25 AM Ben Cotton wrote:
> It was missed last time,
Now that I've had my coffee I want to correct my use of the passive
voice. *I* missed it last time. Carry on.
--
Ben Cotton
He / Him / His
Fedora Program Manager
Red Hat
TZ=America/Indiana/Indianapolis
On Wed, Feb 9, 2022, 02:54 Adam Williamson
wrote:
The audit described there was done once last February after the policy
> was approved. It does not seem to have been done when F35 branched,
> though (unless the audit turned up no further dormant provenpackagers
> and thus no mail was sent).
On Wed, 2022-02-09 at 07:03 +, Mattia Verga via devel wrote:
> Just being paranoid here: do we have any policy / automatism for
> disabling "power" users (in packager group or like) which have been
> inactive for long time?
Yes.
Mattia Verga via devel writes:
> Just being paranoid here: do we have any policy / automatism for
> disabling "power" users (in packager group or like) which have been
> inactive for long time?
>
> I'm no security expert, but an inactive user account may be hacked
> without noticing and if such
Just being paranoid here: do we have any policy / automatism for
disabling "power" users (in packager group or like) which have been
inactive for long time?
I'm no security expert, but an inactive user account may be hacked
without noticing and if such account have powers like being in the
63 matches
Mail list logo
