OpenSSF: The Great MFA Distribution Project

[justaugustus]

From @lehors on https://groups.google.com/g/kubernetes-dev/c/OkHPvFuUcDE:

Hi! I work with the Developer Best Practices Working Group of the Linux Foundation's Open Source Security Foundation (OpenSSF) "Great Multi-Factor Authentication (MFA) Distribution Project".

We'd like to give your project free MFA hardware tokens from Google and GitHub, for use by your maintainers. We'd especially like to give them to any of your maintainers who aren't already using any. Our goal is to help improve the security of open source software (OSS)/Free Software projects. For example, these tokens can counter attacks that release source code updates and/or packages using stolen passwords.

By 2021-12-20 and preferably sooner if possible, please let me know:

If you want any tokens, and if so...
How many Titan tokens from Google (up to 5)
How many Yubikey tokens from GitHub (up to 5)
The private email address to send codes to (this email must not go to the public, as these are use-once codes that can be used to get the tokens)
If you could use more, how many more.

We would send you coupon codes and validation codes to the private email address. You would then distribute those codes to the maintainers you choose. The recipients would use the coupon codes and validation codes to "buy" the tokens from the Google Store and/or GitHub Shop, who would ship the tokens directly to recipients. These codes are use-once, so make sure you can keep the codes private until they're used by the intended person.

Important: The Google coupon codes must be used by 2021-12-31 on the Google Store or they expire.

How can you trust us? You don't need to. You would get the MFA tokens from Google and GitHub; we're simply offering codes to make them no-cost. We'll provide some documentation on how to use them, but you don't need to use our documents.

To qualify, each token recipient must:

Be a maintainer or contributor to this critical open source software (OSS) project, or to another OSS project that this project depends on (the dependency may be indirect).
Try to use an MFA token once they receive the token. We'd like recipients to use MFA tokens from then on, but at least try.
Not reuse the token between different people (the token must not be shared).
Consider providing feedback to us (so we can try to fix problems).

We also need each project that receives coupon codes and/or validation codes to tell us these numbers (preferably within 30 days of getting the codes):

How many tokens did you distribute from just Google? From just GitHub?
How many people received tokens from just Google? From just GitHub? From both?
How many people didn’t have hardware tokens they used for OSS who received tokens from just Google? From just GitHub? From both?

We ask for this information so we can tell others some simple measures of success. We don't need nor want the names of any individuals participating. It's fine to ask the people who got the codes for that information and provide a best-effort summary.

The MFA tokens are shipped from the US. They can be shipped internationally, but there are various limitations on where each can be shipped.

In particular, we can't ship somewhere if that is forbidden (sanctioned) under US law. So at this time we are unable to ship to individuals in China, Afghanistan, Russia, Ukraine, North Korea, Iran, Sudan, and Syria. Sorry about that. See the Google and GitHub sites for more shipping information. More sanction information is available.

For more information including how-tos and other setup information can be found at the "Great Multi-Factor Authentication (MFA) Distribution Project" site.

Let me know if you have any questions.

Thanks!

Arnaud Le Hors - IBM

/assign

---

Tracking Release Manager responses:

Needs:

Yubikey

• @xmudrii
• @palnabarun
• @Verolop

Titan

• @ameukam

Already has:

• @justaugustus (Titan)
• @saschagrunert (Titan)
• @cpanato (Titan)
• @puerco (Titan)

[idvoretskyi]

FYI, please note that entire Ukraine is not sanctioned under US law, only the Crimea Region of Ukraine; you may find more details here - https://home.treasury.gov/system/files/126/ukraine_overview_of_sanctions.pdf.

I'd suggest updating the shipping restrictions list above.

[justaugustus]

@kubernetes/release-managers -- Please reply here with:

1. If you already have a MFA hardware token
2. If you would like a MFA hardware token
3. Indicate your preference of token: Titan or Yubikey

[xmudrii]

1. No, I never had one.
2. Yes, I would like one.
3. Yubikey. Google doesn't ship to Serbia, so Titan is not an option.

Thanks a lot for this great opportunity!

[ameukam]

EDIT: 2. Yes I would like to get one. (more than one if possible) 3. Interested to get a Google Titan key.

[palnabarun]

2. I would like to get one.
3. Yubikey. I would have preferred a Titan, but the Google Store doesn't ship Titan to India.

[Verolop]

1. I don't
2. I would like one.
3. Yubikey, please

[justaugustus]

Noting for myself: I already have a Titan key (thanks @dlorenc!)

[aojea]

I don't have any token, I'd like to have a titan key o/

[saschagrunert]

I already have a titan, just for the note.

[cpanato]

I already have a titan as well

[puerco]

I have a Titan too :+1:

[lehors]

Hello there,

Unfortunately the coupons we had for the Titan tokens are no longer available but I can still get Yubikey tokens to those interested in that. @ameukam short of getting a Titan token would you be interested in a Yubikey?

@justaugustus Can I just give your email to the Github folks and you can take it from there? Otherwise I'll need everybody's email address.

Thanks.

[justaugustus]

@justaugustus Can I just give your email to the Github folks and you can take it from there? Otherwise I'll need everybody's email address.

Thanks Arnaud! Sent you an email with my contact info.

[aojea]

@justaugustus Can I just give your email to the Github folks and you can take it from there? Otherwise I'll need everybody's email address.

@justaugustus please count me in, I'd like to have yubikey too

[justaugustus]

@justaugustus please count me in, I'd like to have yubikey too

Hey Antonio, I need to finish checking in with Release Managers and Tech Leads before we can consider extending this outside of "people with a pager".

Will keep you in mind though! 💞

[ameukam]

Hello there,

Unfortunately the coupons we had for the Titan tokens are no longer available but I can still get Yubikey tokens to those interested in that. @ameukam short of getting a Titan token would you be interested in a Yubikey?

@justaugustus Can I just give your email to the Github folks and you can take it from there? Otherwise I'll need everybody's email address.

Thanks.

@lehors Happy to get a Yubikey. Thank you!

[lehors]

@justaugustus I've sent you a couple of email but apparently you're not receiving them. I'd like to close this now. Could you please send me the list of all the people who would like to have a yubikey? Thanks.

[justaugustus]

@justaugustus I've sent you a couple of email but apparently you're not receiving them. I'd like to close this now. Could you please send me the list of all the people who would like to have a yubikey? Thanks.

@lehors -- Crawling out of the inbox after some time off. Thanks for the ping! Will send the list over soon :)

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[ameukam]

@justaugustus @lehors Sorry but were we supposed to receive an email or something?

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[palnabarun]

/remove-lifecycle rotten

[sftim]

I've sent you a couple of email but apparently you're not receiving them. I'd like to close this now. Could you please send me the list of all the people who would like to have a yubikey? Thanks.

This is still valid? Or should we close it?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.