On Sun, Dec 27, 2020 at 01:11:20PM +0000, Dridi Boukelmoune wrote: > On Sat, Dec 26, 2020 at 6:14 PM Kevin Fenzi <ke...@scrye.com> wrote: > > > > On Thu, Dec 24, 2020 at 07:32:04AM +0000, Dridi Boukelmoune wrote: > > > > The weakest point in the current system is really the FAS password. If > > > > you have a packager's FAS password you can change the ssh key > > > > associated with the account to another that you control, and the FAS > > > > password is also all you need to run a build and submit it to Bodhi. > > > > Well, really the weakest point is email. If you have control over a fas > > accounts email address you can reset the password, etc. > > > > > Or you add an SSH key without removing the maintainer's keys on the > > > off chance that it would go unnoticed... > > > > fas sends email on every such change. > > There are situations where notifications could go unnoticed. At this > point if an attacker managed to compromise an email address and add an > SSH key to a fas account, the attacker might also delete the > notification email promptly.
Sure, or reset the password...or change the email address, or pretty much anything. This is why I said "the weakest point is email". We assume someone who controls an email is the same as the person who controls the account associated with that email. kevin
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
