On 9/15/22 13:55, Kevin Fenzi wrote:
On Thu, Sep 15, 2022 at 09:26:36AM +0300, Alexander Bokovoy wrote:
> Proven packagers seem to be a fair category to address. Also packagers
> responsible for security-related bits of the distribution. Compilers?
Well, as others noted in this thread, any packager has a lot of power.
They can add a weak dep on something everyone has installed and pull
their package in. Of course they likely only get to do that once.
> There is probably a value in defining what functions critical to have
> strongly authenticated and identified to the distribution at large. For
> example, right now even 2FA OTP requirement is not mandatory for certain
> package groups.
As far as I know, it's not possible to enforce otp per group is it?
That would be a nice enhancement.
Additionally, right now, packagers commit with ssh keys or oidc tokens,
in order for a 2fa setup to be effective, we would need to switch that
to kerberos or the like.
SSH keys are fine.
Demi Marie Obenour (she/her/hers)