Project Maintainers: check whether your co-maintainers are active
Dear maintainers of development projects on OBS, please take a look whether your co-maintainers are still active and especially check from time to time whether their email addresses are still valid. There's a few accounts on OBS that use email addresses to expired domains, which pose a security risk: an adversary could re-register that domain, request a password reset, take over the old account and cause quite some harm. So if you find such an old account, please try to reach the maintainer via another channel and if not, please take the appropriate measures. Cheers, Dan -- Dan Čermák <dcermak@suse.com> Software Engineer Development tools SUSE Software Solutions Germany GmbH Maxfeldstr. 5 90409 Nuremberg Germany (HRB 36809, AG Nürnberg) Managing Director/Geschäftsführer: Ivo Totev
Hello, On Tue, Mar 01, 2022 at 03:20:25PM +0100, Dan Čermák wrote:
Dear maintainers of development projects on OBS,
please take a look whether your co-maintainers are still active and especially check from time to time whether their email addresses are still valid. There's a few accounts on OBS that use email addresses to expired domains, which pose a security risk: an adversary could re-register that domain, request a password reset, take over the old account and cause quite some harm.
So if you find such an old account, please try to reach the maintainer via another channel and if not, please take the appropriate measures.
I see an opportunity for automated checks here. Even if all project maintainers manage to carry out an ad-hoc check correctly once an automated check is much more future proof. Thanks Michal
On Tuesday 2022-03-01 15:20, Dan Čermák wrote:
Dear maintainers of development projects on OBS,
please take a look whether your co-maintainers are still active and
I have taken the liberty to trim devel:libraries:c_c++. The method used was `osc rq list -s all devel:libraries:c_c++` searching for particular usernames; if the username appeared as last actor and the activity was within the past ~15 months, it stayed, otherwise was trimmed. There is a corner case where the osc info is not helpful (thinking revoke-after-decline). If there was a mistake, holler an email and the maintainer list gets fixed again.
Hello, On 2022-03-01 15:20, Dan Čermák wrote:
please take a look whether your co-maintainers are still active and especially check from time to time whether their email addresses are still valid. There's a few accounts on OBS that use email addresses to expired domains, which pose a security risk: an adversary could re-register that domain, request a password reset, take over the old account and cause quite some harm.
I fail to see how I should do that in practice. Assume a project has a maintainer listed with e-mail address "john.doe@johndoe.org" in https://build.opensuse.org/users/JohnDoe but the "johndoe.org" domain had expired and is now used by some evil hacker. If I use some public accessible email address verifier it would show me that "john.doe@johndoe.org" is a "valid" (i.e. existing) e-mail address. If I send an e-mail to "john.doe@johndoe.org" and ask if he is still maintainer of that openSUSE project he would reply "yes of course". So how could I check in practice whether or not an e-mail address is still owned by the expected person? Kind Regards Johannes Meixner -- SUSE Software Solutions Germany GmbH Maxfeldstr. 5 - 90409 Nuernberg - Germany (HRB 36809, AG Nuernberg) GF: Ivo Totev
Hello, On Wed, Mar 02, 2022 at 02:35:37PM +0100, Johannes Meixner wrote:
Hello,
On 2022-03-01 15:20, Dan Čermák wrote:
please take a look whether your co-maintainers are still active and especially check from time to time whether their email addresses are still valid. There's a few accounts on OBS that use email addresses to expired domains, which pose a security risk: an adversary could re-register that domain, request a password reset, take over the old account and cause quite some harm.
I fail to see how I should do that in practice.
Assume a project has a maintainer listed with e-mail address "john.doe@johndoe.org" in https://build.opensuse.org/users/JohnDoe but the "johndoe.org" domain had expired and is now used by some evil hacker.
In practice an evil hacker does not take over the domain the moment it expires. There is a period in which the domain is invalid. To notice the period when the e-mail is invalid you (or a robot) whould have to try and resolve the domain, and then try and send an e-mail to the given address if the e-mail for the domain is still routed. This can occasionally give errors due to temporary outage but if the e-mail is not routable for weeks or months a bot could create a request to remove the account in question from any maintainer roles - much like we have bots commenting stale PRs and creating deletion requests for stale projects. I don't think this is something a maintainer can practically carry out by hand. Thanks Michal
Hello, On 2022-03-02 14:52, Michal Suchánek wrote:
On Wed, Mar 02, 2022 at 02:35:37PM +0100, Johannes Meixner wrote:
On 2022-03-01 15:20, Dan Čermák wrote:
please take a look whether your co-maintainers are still active and especially check from time to time whether their email addresses are still valid. There's a few accounts on OBS that use email addresses to expired domains, which pose a security risk: an adversary could re-register that domain, request a password reset, take over the old account and cause quite some harm.
I fail to see how I should do that in practice.
Assume a project has a maintainer listed with e-mail address "john.doe@johndoe.org" in https://build.opensuse.org/users/JohnDoe but the "johndoe.org" domain had expired and is now used by some evil hacker.
In practice an evil hacker does not take over the domain the moment it expires. There is a period in which the domain is invalid.
quick googling for "expired domain invalid period of time" shows me that it could be only something like 30 days (at least in some cases).
I don't think this is something a maintainer can practically carry out by hand.
Yes. We have dumb cumputers for dumb repetitive jobs ;-) Kind Regards Johannes Meixner -- SUSE Software Solutions Germany GmbH Maxfeldstr. 5 - 90409 Nuernberg - Germany (HRB 36809, AG Nuernberg) GF: Ivo Totev
participants (4)
-
Dan Čermák -
Jan Engelhardt -
Johannes Meixner -
Michal Suchánek