On Tue, Dec 22, 2020 at 01:39:26PM -0800, Adam Williamson wrote:
> On Tue, 2020-12-22 at 13:23 -0800, Kevin Fenzi wrote:
> >
> > > Perhaps we need a process for cleaning up membership of this extremely
> > > powerful group? If the FAS password of *any one* of those user accounts
> > > were
On Tue, Dec 22, 2020 at 12:39:56PM -0800, Adam Williamson wrote:
> A propos of some discussion of the Solarwinds news, it occurred to me
> to check how many proven packager accounts there are in FAS. There are
> 251, which seems like a lot. Then it occurred to me to check how many
> of them are
On Sun, Dec 27, 2020 at 7:38 PM Kevin Fenzi wrote:
> You can add more than one. Just put them in a file and upload all of
> them for 'ssh key' one key per line. There's a limit based on
> applications getting the ssh keys, but you can upload multiple keys
> fine.
Oh, ok! Thanks.
On Wed, Dec 30, 2020 at 12:00:47AM +0100, Dominik 'Rathann' Mierzejewski wrote:
> On Monday, 28 December 2020 at 03:38, Kevin Fenzi wrote:
> > On Sun, Dec 27, 2020 at 06:43:23PM -0700, Ken Dreyer wrote:
> > > On Thu, Dec 24, 2020 at 12:33 AM Dridi Boukelmoune
> > > wrote:
> > > >
> > > > > The
On Monday, 28 December 2020 at 03:38, Kevin Fenzi wrote:
> On Sun, Dec 27, 2020 at 06:43:23PM -0700, Ken Dreyer wrote:
> > On Thu, Dec 24, 2020 at 12:33 AM Dridi Boukelmoune
> > wrote:
> > >
> > > > The weakest point in the current system is really the FAS password. If
> > > > you have a
On Sun, Dec 27, 2020 at 06:43:23PM -0700, Ken Dreyer wrote:
> On Thu, Dec 24, 2020 at 12:33 AM Dridi Boukelmoune
> wrote:
> >
> > > The weakest point in the current system is really the FAS password. If
> > > you have a packager's FAS password you can change the ssh key
> > > associated with the
On Sun, Dec 27, 2020 at 01:11:20PM +, Dridi Boukelmoune wrote:
> On Sat, Dec 26, 2020 at 6:14 PM Kevin Fenzi wrote:
> >
> > On Thu, Dec 24, 2020 at 07:32:04AM +, Dridi Boukelmoune wrote:
> > > > The weakest point in the current system is really the FAS password. If
> > > > you have a
On Thu, Dec 24, 2020 at 12:33 AM Dridi Boukelmoune
wrote:
>
> > The weakest point in the current system is really the FAS password. If
> > you have a packager's FAS password you can change the ssh key
> > associated with the account to another that you control, and the FAS
> > password is also
On Sat, Dec 26, 2020 at 6:14 PM Kevin Fenzi wrote:
>
> On Thu, Dec 24, 2020 at 07:32:04AM +, Dridi Boukelmoune wrote:
> > > The weakest point in the current system is really the FAS password. If
> > > you have a packager's FAS password you can change the ssh key
> > > associated with the
On Sat, Dec 26, 2020 at 10:54 PM Björn Persson wrote:
>
> Gary Buhrmaster wrote:
> > Arguably those with elevated access (provenpackagers(*))
> > should be required to use a hardware token such
> > as a FIDO2 authenticators with biometrics and/or
> > PIN required
>
> I'm in favor of complementing
Il giorno sab, 26/12/2020 alle 23.53 +0100, Björn Persson ha scritto:
> Gary Buhrmaster wrote:
> > Arguably those with elevated access (provenpackagers(*))
> > should be required to use a hardware token such
> > as a FIDO2 authenticators with biometrics and/or
> > PIN required
>
> I'm in favor of
Gary Buhrmaster wrote:
> Arguably those with elevated access (provenpackagers(*))
> should be required to use a hardware token such
> as a FIDO2 authenticators with biometrics and/or
> PIN required
I'm in favor of complementing the FAS passphrase with a second factor.
I'm against any attempt to
On Thu, Dec 24, 2020 at 07:32:04AM +, Dridi Boukelmoune wrote:
> > The weakest point in the current system is really the FAS password. If
> > you have a packager's FAS password you can change the ssh key
> > associated with the account to another that you control, and the FAS
> > password is
On Wed, Dec 23, 2020 at 12:49:10AM +, Peter Robinson wrote:
>
> Just to expand on this a little. Removing access from people that have
> left the project either because they've decided they're able to
> continue to contribute (option 1) or because something has triggered
> an admin process
On 22. 12. 20 21:39, Adam Williamson wrote:
Perhaps we need a process for cleaning up membership of this extremely
powerful group? If the FAS password of*any one* of those user accounts
were somehow compromised (or if just one of them decided they had a
grudge against Fedora now and were going
On Thu, Dec 24, 2020 at 11:35:03AM +, Peter Robinson wrote:
> On Thu, Dec 24, 2020 at 10:43 AM Leigh Scott wrote:
> >
> > > On Wed, Dec 23, 2020 at 12:49 PM Vitaly Zaitsev via devel
> > > > >
> > >
> > > It does support it, but AFAIK does not require it.
> > >
> > > Arguably those with
On Thu, Dec 24, 2020 at 10:43 AM Leigh Scott wrote:
>
> > On Wed, Dec 23, 2020 at 12:49 PM Vitaly Zaitsev via devel
> > >
> >
> > It does support it, but AFAIK does not require it.
> >
> > Arguably those with elevated access (provenpackagers(*))
> > should be required to use a hardware token
> On Wed, Dec 23, 2020 at 12:49 PM Vitaly Zaitsev via devel
>
>
> It does support it, but AFAIK does not require it.
>
> Arguably those with elevated access (provenpackagers(*))
> should be required to use a hardware token such
> as a FIDO2 authenticators with biometrics and/or
> PIN required
> The weakest point in the current system is really the FAS password. If
> you have a packager's FAS password you can change the ssh key
> associated with the account to another that you control, and the FAS
> password is also all you need to run a build and submit it to Bodhi.
Or you add an SSH
On Wed, Dec 23, 2020 at 8:43 PM Matthew Miller wrote:
> I'm not in favor of that -- I think it's generally not the best policy
Correct, that is what FIDO2 biometrics are designed to
replace entirely. Passwords, in general, must die.
> and doesn't address the issue directly.
Agreed, as was
On Wed, Dec 23, 2020 at 12:06:25PM -0800, Michel Alexandre Salim wrote:
> Maybe mandatory password/key rotation is an option? With your account
> disabled after a grace period if the password is expired.
I'm not in favor of that -- I think it's generally not the best policy¹ and
doesn't address
On Wed, 2020-12-23 at 00:49 +, Peter Robinson wrote:
> On Wed, Dec 23, 2020 at 12:37 AM Peter Robinson
> wrote:
> >
> > On Wed, Dec 23, 2020 at 12:20 AM Kevin Fenzi
> > wrote:
> > >
> > > On Tue, Dec 22, 2020 at 11:22:17PM +, Peter Robinson wrote:
> > > > On Tue, Dec 22, 2020 at 11:02
On Wed, 2020-12-23 at 18:04 +0100, Florian Weimer wrote:
> * Gary Buhrmaster:
>
> > It does support it, but AFAIK does not require it.
> >
> > Arguably those with elevated access (provenpackagers(*))
> > should be required to use a hardware token such
> > as a FIDO2 authenticators with
On Wed, Dec 23, 2020, at 12:04 PM, Florian Weimer wrote:
> Is there even meaningful two-factor authentication support for Git
> pushes, anywhere? (Not just in the Fedora infrastructure.)
This problem is solved by my plan:
* Gary Buhrmaster:
> It does support it, but AFAIK does not require it.
>
> Arguably those with elevated access (provenpackagers(*))
> should be required to use a hardware token such
> as a FIDO2 authenticators with biometrics and/or
> PIN required (some phones with biometrics are
> are
On Wed, 2020-12-23 at 15:05 +, Gary Buhrmaster wrote:
> On Wed, Dec 23, 2020 at 12:49 PM Vitaly Zaitsev via devel
> wrote:
>
> >
> > Maybe Fedora should add 2FA support and require it for the most powerful
> > groups?
> >
>
> It does support it, but AFAIK does not require it.
old-FAS
On Wed, Dec 23, 2020 at 12:49 PM Vitaly Zaitsev via devel
wrote:
>
> Maybe Fedora should add 2FA support and require it for the most powerful
> groups?
>
It does support it, but AFAIK does not require it.
Arguably those with elevated access (provenpackagers(*))
should be required to use a
On 22.12.2020 21:39, Adam Williamson wrote:
Perhaps we need a process for cleaning up membership of this extremely
powerful group? If the FAS password of*any one* of those user accounts
were somehow compromised (or if just one of them decided they had a
grudge against Fedora now and were going
On Tue, Dec 22, 2020 at 03:55:22PM -0500, Ben Cotton wrote:
> On Tue, Dec 22, 2020 at 3:44 PM Adam Williamson
> wrote:
> >
> > Perhaps we need a process for cleaning up membership of this extremely
> > powerful group?
>
> Yes, please.
I think we should split the issue in two: handling the long
On Tue, Dec 22, 2020 at 3:47 PM Richard Shaw wrote:
> On Tue, Dec 22, 2020 at 2:40 PM Adam Williamson <
> adamw...@fedoraproject.org> wrote:
>
>>
>> Perhaps we need a process for cleaning up membership of this extremely
>> powerful group? If the FAS password of *any one* of those user accounts
On Wed, Dec 23, 2020 at 12:37 AM Peter Robinson wrote:
>
> On Wed, Dec 23, 2020 at 12:20 AM Kevin Fenzi wrote:
> >
> > On Tue, Dec 22, 2020 at 11:22:17PM +, Peter Robinson wrote:
> > > On Tue, Dec 22, 2020 at 11:02 PM Kevin Fenzi wrote:
> > > >
> > > > On Tue, Dec 22, 2020 at 10:29:11PM
On Wed, Dec 23, 2020 at 12:20 AM Kevin Fenzi wrote:
>
> On Tue, Dec 22, 2020 at 11:22:17PM +, Peter Robinson wrote:
> > On Tue, Dec 22, 2020 at 11:02 PM Kevin Fenzi wrote:
> > >
> > > On Tue, Dec 22, 2020 at 10:29:11PM +, Peter Robinson wrote:
> > > >
> > > > I think what ever process is
On Tue, Dec 22, 2020 at 11:22:17PM +, Peter Robinson wrote:
> On Tue, Dec 22, 2020 at 11:02 PM Kevin Fenzi wrote:
> >
> > On Tue, Dec 22, 2020 at 10:29:11PM +, Peter Robinson wrote:
> > >
> > > I think what ever process is run at the point their account is
> > > disabled should revoke all
On Tue, Dec 22, 2020 at 11:02 PM Kevin Fenzi wrote:
>
> On Tue, Dec 22, 2020 at 10:29:11PM +, Peter Robinson wrote:
> >
> > I think what ever process is run at the point their account is
> > disabled should revoke all privileges, that's a fairly standard IT
> > security procedure.
>
> There's
On Tue, Dec 22, 2020 at 10:29:11PM +, Peter Robinson wrote:
>
> I think what ever process is run at the point their account is
> disabled should revoke all privileges, that's a fairly standard IT
> security procedure.
There's no process for packages/provenpackagers.
We do have a process
On Tue, Dec 22, 2020 at 9:58 PM Kevin Fenzi wrote:
>
> On Tue, Dec 22, 2020 at 01:39:26PM -0800, Adam Williamson wrote:
> >
> > So that proposal was just for all packagers. I think it should at least
> > be reasonable to set a relatively high bar for being a provenpackager.
>
> That predates the
On Tue, Dec 22, 2020 at 9:23 PM Kevin Fenzi wrote:
>
> On Tue, Dec 22, 2020 at 12:39:56PM -0800, Adam Williamson wrote:
> > A propos of some discussion of the Solarwinds news, it occurred to me
> > to check how many proven packager accounts there are in FAS. There are
> > 251, which seems like a
On Tue, Dec 22, 2020, 2:39 PM Adam Williamson
wrote:
> So that proposal was just for all packagers. I think it should at least
> be reasonable to set a relatively high bar for being a provenpackager.
Agreed that there's a higher bar here. I think the privilege should be
revoked if you've not
On Tue, Dec 22, 2020 at 01:39:26PM -0800, Adam Williamson wrote:
>
> So that proposal was just for all packagers. I think it should at least
> be reasonable to set a relatively high bar for being a provenpackager.
That predates the existance of the provenpackager group, so yeah. ;)
> Proven
On Tue, 2020-12-22 at 13:23 -0800, Kevin Fenzi wrote:
>
> > Perhaps we need a process for cleaning up membership of this extremely
> > powerful group? If the FAS password of *any one* of those user accounts
> > were somehow compromised (or if just one of them decided they had a
> > grudge against
On Tue, Dec 22, 2020 at 12:39:56PM -0800, Adam Williamson wrote:
> A propos of some discussion of the Solarwinds news, it occurred to me
> to check how many proven packager accounts there are in FAS. There are
> 251, which seems like a lot. Then it occurred to me to check how many
> of them are
On Tue, Dec 22, 2020 at 3:44 PM Adam Williamson
wrote:
>
> Perhaps we need a process for cleaning up membership of this extremely
> powerful group?
Yes, please.
I'll even go out on a limb and propose a process...
> At a point (TBD) in each release cycle members of the provenpackager group
>
On 12/22/20 2:39 PM, Adam Williamson wrote:
epienbro
In this case this individual has passed away. :(
His packages were reassigned, but I don't think we have a process for taking care of
the rest of an individual's resources (accounts, groups, etc.).
On Tue, 22 Dec 2020 at 21:40, Adam Williamson
wrote:
> that's 90 of the 251 who still have provenpackager privileges, but
> haven't run any kind of Koji build since at least 2019-01-01 (if you
> check, it turns out many of them haven't run a build since long before
> then). Many of them, to my
On Tue, Dec 22, 2020 at 2:40 PM Adam Williamson
wrote:
>
> Perhaps we need a process for cleaning up membership of this extremely
> powerful group? If the FAS password of *any one* of those user accounts
> were somehow compromised (or if just one of them decided they had a
> grudge against
45 matches
Mail list logo
