On Tue, 2024-06-25 at 16:21 +0200, Vitaly Zaitsev via devel wrote: > On 25/06/2024 15:06, Stephen Gallagher wrote: > > I am not a lawyer, but I would assume that if Fedora offered to > > provide such a token, it would be reviewed by Legal and provide some > > form of legally-binding assertion that we weren't sending out > > malicious devices. > > Who can guarantee that these devices were not replaced during delivery? > > > In that situation, the > > provenpackagers would be making a three way decision: 1) Stop being a > > provenpackager, 2) buy their own token or 3) accept one provided by > > Fedora. > > 4. Allow classic OTP codes. > > I would prefer this one since I can use open source applications to > generate these codes. I can't find any FIDO2 implementations that are > completely open source which doesn't require proprietary technologies > like TPM or SGX. Relying on a black box is not an option for me.
But, uh, any open source application you run is running on a hardware stack vastly more complicated and equally prone to trickery as a simple, cheap USB key. Who guarantees that no component of your PC was replaced during delivery at any point along its supply chain? Who guarantees the bona fides of everyone who has ever contributed to its various firmwares and their updates, and all its components and *their* various firmwares and their updates? Same questions for your phone. Really, if you're going to that level of paranoia, you should swear off electronic devices entirely. In the world of what's realistically possible for Fedora, enabling 2FA and sending everyone a USB stick is a lot better than not enabling 2FA. -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @ad...@fosstodon.org https://www.happyassassin.net -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
