Historical bug tracker for the Pacman package manager.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
FS#67536 - Feature request: add 2FA support for package signing
Attached to Project:
Pacman
Opened by Mark Stosberg (markstos) - Sunday, 09 August 2020, 13:23 GMT
Last edited by Allan McRae (Allan) - Sunday, 04 December 2022, 02:22 GMT
Opened by Mark Stosberg (markstos) - Sunday, 09 August 2020, 13:23 GMT
Last edited by Allan McRae (Allan) - Sunday, 04 December 2022, 02:22 GMT
|
DetailsThis is a feature request to add 2FA support for package signing.
An initial goal can be to support certain packages uploads to require 2FA signing, as the NPM registry supports. https://docs.npmjs.com/requiring-2fa-for-package-publishing-and-settings-modification A longer term goal could be to require all developers uploading packages to sign their packages with 2FA, as Apple started doing in 2019: https://developer.apple.com/support/authentication/ Security compromises may start with remotely compromised laptops. If those laptops also hold private packaging signing keys, there is a path to uploading malicious packages. Requiring 2FA for package uploads would require an additional layer of security by requiring the developer to also possess a trusted device or security key to complete the package upload. This may not be the right place to file this suggestion. Let me know if there's a better place to post it. Thanks! |
This task depends upon
Are you asking for the Arch infrastructure to add 2FA to the ssh login for submitting packages?