Isn't peer review much better and easier solution over all? We could
also require signed commits I guess.
Dne 15. 09. 22 v 20:36 Gary Buhrmaster napsal(a):
On Thu, Sep 15, 2022 at 5:55 PM Kevin Fenzi <kevin(a)scrye.com>
> On Thu, Sep 15, 2022 at 09:26:36AM +0300, Alexander Bokovoy wrote:
>> Proven packagers seem to be a fair category to address. Also packagers
>> responsible for security-related bits of the distribution. Compilers?
Perhaps any packager who has a package in one of the critical path lists?
That number (of package(r)s) may be a bit large, though, for an initial cut
(as I recall, the total number of critical path packages is around 1000
in rawhide, although I have no idea how many packagers that is).
> As far as I know, it's not possible to enforce otp per group is it?
> That would be a nice enhancement.
Especially if one would like that any enforcement be semi-automatic
rather than one more manual step when adding people to groups.
>> Though with Token2 FIDO2 tokens that cost 14EUR themselves we get close
>> enough to a lower boundary.
> Yeah, it will still be hard to require 100% of packagers, but it might
> be doable.
And, as has been previously pointed out, it is also possible
(although depending on the implementation not as secure) to
use other pkcs11 backends, including software implementations.
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue