logoalt Hacker News

KolmogorovCompyesterday at 10:24 PM4 repliesview on HN

I don't think it'd necessarily be a good decision, sometimes CVE are actively exploited and need quick patching.

A better safety net would be to require active 2FA proof for every package update.

Replies

therealmarvtoday at 12:10 AM

As if supply chain attacks could have been prevented by 2fa or passkeys always.

You want delays by x days because supply chain attacks get caught very often within 1-2 days. And if you really really want to make an exception for a zero day then that's no problem and you can still quick patch by exclusion of that rule. They don't contradict in a unsolvable problem. You want both, you get both.

show 1 reply
jnwatsonyesterday at 10:33 PM

If you need a quick patch, you pass another parameter to turn off the 1 day. 1 day delay will prevent more problems than it makes.

show 2 replies
woodruffwtoday at 3:00 AM

I think you want both of these things. Realistically we're not at a point yet where all MFA credentials are phishing resistant.

hedoratoday at 3:44 AM

“How do I get my security hardened CD pipeline to 2FA?”