[Lvfs-announce] Limiting sharing of embargo remotes

Richard Hughes hughsient at gmail.com
Wed Nov 15 17:46:14 UTC 2023 

Hi all,

Recently we discovered that at least one LVFS vendor was sharing the
vendor-embargo.conf configuration to people outside of their vendor
group. Knowing the remote access token is enough to download the
vendor-specific metadata which *may* include firmware under security
embargo and so sharing the access token is certainly not recommended
by me. Vendors wanting to do this “the correct way” should ask
suppliers or QA companies to create a vendor account on the LVFS
(still 100% free!) and then the specific firmware can be shared with
them directly.

I appreciate some vendors are relying on the not-recommended sharing
access token feature right now, and don’t want to break that workflow
– so don’t worry that everything is going to break.

I’ve just merged a new feature in
https://gitlab.com/fwupd/lvfs-website/-/merge_requests/1416 called
“require vendors to set the username and password when downloading
embargoed metadata” – this makes it possible for vendors to opt-in to
the more secure mode of checking who is downloading metadata for an
additional layer of protection. This means even if the remote access
token is accidentally leaked, only users with an LVFS account in the
correct vendor group can access it.

So now I need to know from each vendor what embargo metadata
permissions you’d like to choose. The choices are:

 * Only authenticated users – the most secure mode – a username and
user token is required in the remote and the remote access token is
less of a secret

 * All users – the less secure mode – only the remote access token in
the metadata URL is required

At the moment the default is “all users” although this default will be
swapped in the future. If you are an affected vendor that wants the
insecure mode (sharing the embargo remote with other companies) can
you also please tell me who you’re sharing it with – as I’d much
rather set up the affiliate relationships in the LVFS so we’re able to
revoke or modify permissions in the future.

Please reply to me personally, rather than the mailing list. Thanks!

Richard

More information about the LVFS-announce mailing list