Hello, On 2022-03-01 15:20, Dan Čermák wrote:
please take a look whether your co-maintainers are still active and especially check from time to time whether their email addresses are still valid. There's a few accounts on OBS that use email addresses to expired domains, which pose a security risk: an adversary could re-register that domain, request a password reset, take over the old account and cause quite some harm.
I fail to see how I should do that in practice. Assume a project has a maintainer listed with e-mail address "john.doe@johndoe.org" in https://build.opensuse.org/users/JohnDoe but the "johndoe.org" domain had expired and is now used by some evil hacker. If I use some public accessible email address verifier it would show me that "john.doe@johndoe.org" is a "valid" (i.e. existing) e-mail address. If I send an e-mail to "john.doe@johndoe.org" and ask if he is still maintainer of that openSUSE project he would reply "yes of course". So how could I check in practice whether or not an e-mail address is still owned by the expected person? Kind Regards Johannes Meixner -- SUSE Software Solutions Germany GmbH Maxfeldstr. 5 - 90409 Nuernberg - Germany (HRB 36809, AG Nuernberg) GF: Ivo Totev