Hi!
My name is Georg Kunz and I work with the Developer Best Practices Working Group of the Linux Foundation's Open Source Security Foundation (OpenSSF) "Great Multi-Factor Authentication (MFA) Distribution Project".
We'd like to give your project free MFA hardware tokens from Google and GitHub, for use by your maintainers. We'd especially like to give them to any of your maintainers who aren't already using any. Our goal is to help improve the security of open source software (OSS)/Free Software projects. For example, these tokens can counter attacks that release source code updates and/or packages using stolen passwords.
By 2021-12-20 and preferably much sooner, please let me know:
We would send you coupon codes and validation codes to the private email address. You would then distribute those codes to the maintainers you choose. The recipients would use the coupon codes and validation codes to "buy" the tokens from the Google Store and/or GitHub Shop, who would ship the tokens directly to recipients. These codes are use-once, so make sure you can keep the codes private until they're used by the intended person.
Important: The Google coupon codes must be used by 2021-12-31 on the Google Store or they expire.
How can you trust us? You don't need to. You would get the MFA tokens from Google and GitHub; we're simply offering codes to make them no-cost. We'll provide some documentation on how to use them, but you don't need to use our documents.
To qualify, each token recipient must:
We also need each project that receives coupon codes and/or validation codes
to tell us these numbers (preferably within 30 days of getting the codes):
We ask for this information so we can tell others some simple measures of success. We don't need nor want the names of any individuals participating. It's fine to ask the people who got the codes for that information and provide a best-effort summary.
The MFA tokens are shipped from the US. They can be shipped internationally, but there are various limitations on where each can be shipped.
In particular, we can't ship somewhere if that is forbidden (sanctioned) under US law. So at this time we are unable to ship to individuals in China, Afghanistan, Russia, Ukraine, North Korea, Iran, Sudan, and Syria. Sorry about that. See the Google and GitHub sites for more shipping information. More sanction information is available.
For more information including how-tos and other setup information can be found at the "Great Multi-Factor Authentication (MFA) Distribution Project" site.
Best regards
Georg
Labels |
Added:
No Code Attached Yet
|
So if there is a direct communication channel now, can we close this issue or move it to discussions?
Hi @zero-24, great, I'll reach out to you via email. @richard67, it is fine from my side to close this issue.
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-12-11 10:47:27 |
Closed_By | ⇒ | richard67 |
Closing as stated above.
Hi @gkunz
thanks for this offer. I have just posted this issue into our internal Maintainer Chat.
Just for referenzen everyone who is part of the Joomla Organisation on GitHub is required to use MFA already and the same is rolled out for any Super Administrator that maintains our websites, but some might 'just' use Software MFA.
Please contact me via [removed] and I'm happy to coorordinate with you so we dont need to post all the emails and all the details etc here on a public github issue.
More details about me and my envolvement within Joomla can be found here: https://volunteers.joomla.org/joomlers/248-tobias-zulauf
Thanks