[Ksummit-discuss] [CORE TOPIC] dev/maintainer workflow security
Konstantin Ryabitsev
konstantin at linuxfoundation.org
Mon Jul 13 14:07:52 UTC 2015
On Mon, Jul 13, 2015 at 10:32:06AM +0200, Jiri Kosina wrote:
> If the credentials can be used both to push to ra.kernel.org and to access
> your "local" copy of the GIT repo (on your notebook / desktop / storage),
> I can just push the malicious commit (*) to both repos and you might not
> notice immediately (because you wouldn't get non-fast-forward hint from
> git).
This is mitigated somewhat by existing 2-factor mechanisms placed on
select git repositories.
https://korg.wiki.kernel.org/userdoc/gitolite_2fa
To successfully attack in this manner, you would need to push to
gitolite.kernel.org from an IP address that's been previously
2fa-validated by the developer.
Which brings me around to grumbling a bit -- since we've made 2-factor
auth available, only 30 people have set up a token[*] (not even 10% of all
account holders) and only 25 repositories/subdirs have a 2fa requirement
on them, out of 450 defined.
I'm far from suggesting that we make this mandatory, but I'm open to
any suggestions on how we can make more developers enroll with 2fa.
Best,
--
Konstantin Ryabitsev
Linux Foundation Collab Projects
Montréal, Québec
[*] Not counting a couple of people using GPG smartcards/yubikeys
for their ssh authentication.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.linuxfoundation.org/pipermail/ksummit-discuss/attachments/20150713/b004e965/attachment.sig>
More information about the Ksummit-discuss
mailing list