On Tue, Jun 25, 2024 at 4:48 AM Vitaly Zaitsev via devel <devel@lists.fedoraproject.org> wrote: > > On 24/06/2024 23:38, Gary Buhrmaster wrote: > > As I recall from a previous query, there are > > (around) 90 active proven packagers (and > > ~250 total who were in the PP group). > > I think most privacy/security focused developers/maintainers won't plug > USB tokens they get from random people on the Internet into their > PC/laptop because it could be a BadUSB or something even worse. > > The most common attack is when an attacker plants USB devices near the > office of the company they want to attack. Connecting such devices is > completely NO-GO.
There's a certain amount of trust required in accepting a USB key from *anyone* (even if you were to order one directly from Yubico, RSA, Adafruit, etc.). If we move to requiring tokens, I think it's entirely certain that we would allow anyone to provide their own that we enroll. I assume that Matthew's offer was for us to be able to help those who (for one reason or another) cannot afford one. In that situation, the provenpackagers would be making a three way decision: 1) Stop being a provenpackager, 2) buy their own token or 3) accept one provided by Fedora. I am not a lawyer, but I would assume that if Fedora offered to provide such a token, it would be reviewed by Legal and provide some form of legally-binding assertion that we weren't sending out malicious devices. -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
