On Wed, 7 Sept 2022 at 02:53, Adam Williamson <adamw...@fedoraproject.org> wrote:
> On Wed, 2022-09-07 at 08:41 +0200, Vitaly Zaitsev via devel wrote: > > On 06/09/2022 23:14, Jonathan Wright wrote: > > > Fedora must be looked at as more than just a "hobby project" even > though > > > it is a hobby for some. > > > > There are many casual maintainers who maintain one or two packages. We > > shouldn't force them to leave Fedora. > > > > > It's an OS that many rely on and $25 is a somewhat trivial cost for > improved security. > > > > There are many contributors from countries where $25 is a lot. We > > shouldn't set up financial barriers. This is a dead end. > > I think we kind of have two competing factors here, and it's not much > use Camp A saying "FACTOR A IS IMPORTANT!" and Camp B saying "NO FACTOR > B IS IMPORTANT!" and that just going round in circles. > > On the one hand, Fedora is not just a hobby project. It's an important > upstream in the F/OSS ecosystem. Very important downstreams like > CentOS, RHEL, Amazon Linux and others are built out of it. It's > absolutely an attractive target for a supply chain attack. We have an > ethical responsibility to the F/OSS community to harden ourselves > against such attacks, and FIDO2 auth would be a good way to do that. > > So I think all this focusing on FIDO2 as a requirement is the problem. We are looking at least 2-3 years before Fedora Infrastructure could actually support it at scale. This is not just technical support, but needing people to actually handle the problems. We have a hard enough handling OTP tokens that people put in and then immediately lose so can't log in or change their accounts. Dealing with 100 developers who only put one token on their system and then promptly lose it after going for a jog etc is going to be a nightmare. [I had to support scientists with one time tokens before, and it is a constant 'I lost my token and I need to be verified that I am who I am. Can I get a new token?' etc.] So I am going to say I am in agreement with Vitaly that FIDO2 is not a solution we could support at this time. At most we could support HOTP via yubikey but we would need to be able to make sure 1. That we have some sort of '5 codes which can be used in case of emergency'. These are printed on a screen and that is it. 2. We make sure that people have 2 additional devices attached before OTP is 'enabled'. Otherwise this is going to end in tears even before we tried to get 'FIDO2' set up. > On the other hand, you are correct that requiring people to either pay > money or accept proprietary software at some level in order to > contribute packages to Fedora would be a barrier to contribution, and > barriers to contribution suck. We could maybe find a sponsor to send > *existing* packagers a hardware token, but that still leaves the > problem of what to do about *new* packagers - find a sponsor willing to > mail a key to anyone who passes a package review? Well, maybe. What to > do about country laws and export controls that have been brought up? > That's another problem. > > So, we are in a dilemma without a perfect solution. We either have to > decide which factor is more important, or find some way to > compromise/finesse things, like requiring FIDO2 auth only for > provenpackagers. Or only for commits to critpath packages. (And then > what to do about Supplements:-style attacks?) > > The productive thing to do is discuss which factor is the most > important, or what the best compromise would be. Not just have two sets > of people keep repeating at each other that each factor exists. > -- > Adam Williamson > Fedora QA > IRC: adamw | Twitter: adamw_ha > https://www.happyassassin.net > > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
