On Wed, 2022-09-07 at 08:41 +0200, Vitaly Zaitsev via devel wrote:
> On 06/09/2022 23:14, Jonathan Wright wrote:
> > Fedora must be looked at as more than just a "hobby project" even though
> > it is a hobby for some.
>
> There are many casual maintainers who maintain one or two packages. We
> shouldn't force them to leave Fedora.
>
> > It's an OS that many rely on and $25 is a somewhat trivial cost for improved security.
>
> There are many contributors from countries where $25 is a lot. We
> shouldn't set up financial barriers. This is a dead end.
I think we kind of have two competing factors here, and it's not much
use Camp A saying "FACTOR A IS IMPORTANT!" and Camp B saying "NO FACTOR
B IS IMPORTANT!" and that just going round in circles.
On the one hand, Fedora is not just a hobby project. It's an important
upstream in the F/OSS ecosystem. Very important downstreams like
CentOS, RHEL, Amazon Linux and others are built out of it. It's
absolutely an attractive target for a supply chain attack. We have an
ethical responsibility to the F/OSS community to harden ourselves
against such attacks, and FIDO2 auth would be a good way to do that.
So I think all this focusing on FIDO2 as a requirement is the problem. We are looking at least 2-3 years before Fedora Infrastructure could actually support it at scale. This is not just technical support, but needing people to actually handle the problems. We have a hard enough handling OTP tokens that people put in and then immediately lose so can't log in or change their accounts. Dealing with 100 developers who only put one token on their system and then promptly lose it after going for a jog etc is going to be a nightmare. [I had to support scientists with one time tokens before, and it is a constant 'I lost my token and I need to be verified that I am who I am. Can I get a new token?' etc.]
So I am going to say I am in agreement with Vitaly that FIDO2 is not a solution we could support at this time. At most we could support HOTP via yubikey but we would need to be able to make sure
1. That we have some sort of '5 codes which can be used in case of emergency'. These are printed on a screen and that is it.
2. We make sure that people have 2 additional devices attached before OTP is 'enabled'.
Otherwise this is going to end in tears even before we tried to get 'FIDO2' set up.
On the other hand, you are correct that requiring people to either pay
money or accept proprietary software at some level in order to
contribute packages to Fedora would be a barrier to contribution, and
barriers to contribution suck. We could maybe find a sponsor to send
*existing* packagers a hardware token, but that still leaves the
problem of what to do about *new* packagers - find a sponsor willing to
mail a key to anyone who passes a package review? Well, maybe. What to
do about country laws and export controls that have been brought up?
That's another problem.
So, we are in a dilemma without a perfect solution. We either have to
decide which factor is more important, or find some way to
compromise/finesse things, like requiring FIDO2 auth only for
provenpackagers. Or only for commits to critpath packages. (And then
what to do about Supplements:-style attacks?)
The productive thing to do is discuss which factor is the most
important, or what the best compromise would be. Not just have two sets
of people keep repeating at each other that each factor exists.
--
Adam Williamson
Fedora QA
IRC: adamw | Twitter: adamw_ha
https://www.happyassassin.net
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue