On Thu, Sep 15, 2022 at 04:34:08PM -0400, Demi Marie Obenour wrote:
On 9/15/22 13:55, Kevin Fenzi wrote:
> On Thu, Sep 15, 2022 at 09:26:36AM +0300, Alexander Bokovoy wrote:
>>
>> Proven packagers seem to be a fair category to address. Also packagers
>> responsible for security-related bits of the distribution. Compilers?
>
> Well, as others noted in this thread, any packager has a lot of power.
> They can add a weak dep on something everyone has installed and pull
> their package in. Of course they likely only get to do that once.
>
>> There is probably a value in defining what functions critical to have
>> strongly authenticated and identified to the distribution at large. For
>> example, right now even 2FA OTP requirement is not mandatory for certain
>> package groups.
>
> As far as I know, it's not possible to enforce otp per group is it?
> That would be a nice enhancement.
>
> Additionally, right now, packagers commit with ssh keys or oidc tokens,
> in order for a 2fa setup to be effective, we would need to switch that
> to kerberos or the like.
SSH keys are fine.
Sure, but unless you are using ecdsa-sk or ed25519-sk keys, they aren't
2factor enabled. Your account could be using OTP, but if someone gets
your ssh private key they can commit as you.
kevin