Adam Williamson wrote: > 1. We *still don't have compulsory 2FA for Fedora packagers*. We *still > don't have compulsory 2FA for Fedora packagers*. *WE STILL DON'T HAVE > COMPULSORY 2FA FOR FEDORA PACKAGERS*.
This 2FA nonsense needs to stop! GitHub has enforced compulsory 2FA for contributors for a while, starting with "important" projects, then getting stricter and stricter. It has done absolutely nothing to stop this attack. How could it, when the backdoor was apparently introduced by the authorized maintainer? (Or if not, the attacker must have had access to their 2FA secret as well.) So, 2FA DOES NOT SOLVE THIS PROBLEM! STOP FORCING 2FA ON US! And especially DO NOT abuse this incident as an excuse to force 2FA down our throats, since 2FA DOES NOT SOLVE THIS PROBLEM. Sorry for being repetitive, but you were, too. THIS 2FA NONSENSE NEEDS TO STOP! > 2. Our process for vetting packagers is, let's face it, from a security > perspective almost *comically* patchy. There are 140 sponsors in the > packager FAS group. Any one of those people - or someone who > compromises any one of those 140 accounts - can grant any other person > on earth Fedora packager status. Our policy on how they should do this > is > https://docs.fedoraproject.org/en-US/package-maintainers/How_to_Sponsor_a_New_Contributor/#sponsoring_someone_for_fedora_package_collection > . The words "trust" and "identity" do not appear in it. There is, > AFAIK, no policy or procedure by which inactive sponsors have this > power removed. There is no mandatory 2FA policy for sponsors. We already have a manpower problem, how is removing sponsors going to improve the situation? > 3. We have no mechanism to flag when J. Random Packager adds > "Supplements: glibc" to their random leaf node package. As a reminder, > *we are a project that allows 1,601 minimally-vetted people to deliver > arbitrary code executed as root on hundreds of thousands of systems*, > and this mechanism allows any one of those people to cause the package > they have complete control over to be automatically pulled in as a > dependency on virtually every single one of those systems. This would get noticed pretty quickly, when that package comes up in update transactions for no reason. I believe this has never happened so far. It is just too obvious. Kevin Kofler -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
