On Thu, Dec 24, 2020 at 07:32:04AM +0000, Dridi Boukelmoune wrote:
> The weakest point in the current system is really the FAS
password. If
> you have a packager's FAS password you can change the ssh key
> associated with the account to another that you control, and the FAS
> password is also all you need to run a build and submit it to Bodhi.
Well, really the weakest point is email. If you have control over a fas
accounts email address you can reset the password, etc.
Or you add an SSH key without removing the maintainer's keys on
the
off chance that it would go unnoticed...
fas sends email on every such change.
kevin