If attackers are able to publish abusive asf software products and shut down asf to coordinate a fixing software release, we can safely assume that attackers are also in control of whatever information is available in private svn. It is probable that a well known PMC members identity is being impersonated by attackers for several months.
Unluckily, I don't see how we can get out of this. Just think of our global structure and lack of in person contact. Gary and I are on the same PMC. But I don't see Gary trying to call me on my private Italian mobile. And if I receive a call from USA on my private mobile I do probably ignore that as a spam call. Even if I respond, I never have met Gary in person. Verifying his identity will be a challenge. As far as I see it, if we need backup contact information, we already are one step over the edge and in a free fall. On Thu, 10 Oct 2024, 19:46 Jeff Jirsa, <jji...@apache.org> wrote: > > > On 2024/10/10 16:04:22 Mark Thomas wrote: > > On 10/10/2024 09:21, Gary Gregory wrote: > > > If I can't get to Gmail, there's probably a lot more wrong with my > > > connectivity than just that ;-) > > > > The greater risk is the ASF email is unavailable. Think threat actors > > performing a DDoS on ASF infra while we are trying to co-ordinate fixing > > the vulnerability. > > Or compromised, such that email itself is available but exposed to > attackers (or controlled by attackers and considered untrustworthy). > > "Try ponymail" doesnt solve for that threat - even if you can send from > ponymail and read at ponymail, it immediately exposes all of the > coordination to the attacker? > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: > security-discuss-h...@community.apache.org > >
