You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We currently don't require 2FA for the entire organization, but I think we do softly enforce it for those that can merge (editors)?
Contact methods are given through the Participate Agreement.
We don't allow force pushing (but sometimes override this to fix an error, is that problematic if it's done by a trusted party?).
We don't do commit signing, but it's not entirely clear to me what the attack scenario is there.
I think we're in a pretty good shape, but it seems good to evaluate if we can do more given that some defined algorithms are rather sensitive. I also don't really want a WHATWG standard to become an example attack vector at some future point.
The text was updated successfully, but these errors were encountered:
https://blog.mozilla.org/security/2018/09/11/protecting-mozillas-github-repositories-from-malicious-modification/ has a number of interesting recommendations.
We currently don't require 2FA for the entire organization, but I think we do softly enforce it for those that can merge (editors)?
Contact methods are given through the Participate Agreement.
We don't allow force pushing (but sometimes override this to fix an error, is that problematic if it's done by a trusted party?).
We don't do commit signing, but it's not entirely clear to me what the attack scenario is there.
I think we're in a pretty good shape, but it seems good to evaluate if we can do more given that some defined algorithms are rather sensitive. I also don't really want a WHATWG standard to become an example attack vector at some future point.
The text was updated successfully, but these errors were encountered: