On 9/13/22 21:37, Tommy Nguyen wrote:
On Tue, 2022-09-06 at 16:14 -0500, Jonathan Wright via devel wrote:
> On Tue, Sep 6, 2022 at 3:52 PM Vitaly Zaitsev via devel <
> devel(a)lists.fedoraproject.org> wrote:
>
>> On 06/09/2022 19:49, Michael Catanzaro wrote:
>>> Of course, hardware authenticators would be even more secure, and
>>> it
>>> sure seems pretty reasonable to expect that people with commit
>>> access to
>>> Fedora packages are able to purchase a $25 or 30€ security key
>>> [1][2].
I think most people would find it not reasonable for contributors to an
open source project to pay any amount of cash, even $25, to gain
packaging rights. That's tantamount to a membership or entrance fee.
There is a huge difference between accepting contributions from someone
and trusting them with access to a vast number of people’s machines.
Qubes OS accepts contributions from untrusted contributors, but it can
only do so because all code is reviewed by hand before merging, so a
malicious contribution simply will not be accepted. Fedora, on the other
hand, lacks any means to limit the blast radius of a compromised account
with packaging rights. Therefore, preventing such a compromise is
critical, and hardware authenticators are currently the best means of
doing so.
In the long term, Fedora should figure out how to avoid having to trust
such a large number of people with such power. But for now, requiring
**unphishable** 2FA is the best option I am aware of.
--
Sincerely,
Demi Marie Obenour (she/her/hers)