Hello, On 2022-03-02 14:52, Michal Suchánek wrote:
On Wed, Mar 02, 2022 at 02:35:37PM +0100, Johannes Meixner wrote:
On 2022-03-01 15:20, Dan Čermák wrote:
please take a look whether your co-maintainers are still active and especially check from time to time whether their email addresses are still valid. There's a few accounts on OBS that use email addresses to expired domains, which pose a security risk: an adversary could re-register that domain, request a password reset, take over the old account and cause quite some harm.
I fail to see how I should do that in practice.
Assume a project has a maintainer listed with e-mail address "john.doe@johndoe.org" in https://build.opensuse.org/users/JohnDoe but the "johndoe.org" domain had expired and is now used by some evil hacker.
In practice an evil hacker does not take over the domain the moment it expires. There is a period in which the domain is invalid.
quick googling for "expired domain invalid period of time" shows me that it could be only something like 30 days (at least in some cases).
I don't think this is something a maintainer can practically carry out by hand.
Yes. We have dumb cumputers for dumb repetitive jobs ;-) Kind Regards Johannes Meixner -- SUSE Software Solutions Germany GmbH Maxfeldstr. 5 - 90409 Nuernberg - Germany (HRB 36809, AG Nuernberg) GF: Ivo Totev