Uploaded image for project: 'Community Support - Open Source Project Repository Hosting'
  1. Community Support - Open Source Project Repository Hosting
  2. OSSRH-53563

Two-Factor logins (in particular, for oss.sonatype.org)

    XMLWordPrintable

    Details

    • Group Id:
      null
    • Publishing Hostname:
      oss.sonatype.org
    • Modify publishing permissions?:
      No

      Description

      I am a maintainer of a major open source project hosted on maven central.

      As far as I can tell, anybody that has my oss.sonatype.org username and password  can push out a new version, and in that way, hack a few million PCs.

      Please help me avoid equifax, event-stream and other 'comedy of errors' level accidents and gimme a little more than just a password.

      If you need me to recommend you a few TOTP libraries that work well (note: Many off the shelf solutions are broken, security wise; for example, they allow guessing at TOTP codes which is always bad, as one in every 200,000 attempts is lucky, and a script in the same datacenter can try 200k times in an hour or so) – let me know.

        Attachments

          Activity

            People

            Assignee:
            central-ossrh Bot Central-OSSRH
            Reporter:
            rzwitserloot Reinier Zwitserloot
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                tigCommentSecurity.panel-title