Phabricator Username: SecurityPatchBot
Reasons For Request: Motivated by T350065. In order to be able to ping security patch tasks, they need to be visible to the SecurityPatchBot. The bot will not log/expose any information from the tasks.
Phabricator Username: SecurityPatchBot
Reasons For Request: Motivated by T350065. In order to be able to ping security patch tasks, they need to be visible to the SecurityPatchBot. The bot will not log/expose any information from the tasks.
Hi @Mstyles yes, approved. We'd protect any credentials for this bot in the same way we're protecting access to the security patches themselves in our automated testing (since this bot will be used to update security tasks with the results of automated testing).
@thcipriani do you know if it's possible to add MFA to a bot account? I understand the team will be protecting credentials which is great. I looked around in the phabricator documentation and I didn't see anything, but I wanted to be thorough.
@Mstyles As you mentioned, there doesn't seem to be any references in the docs. Also, the settings section in the UI for bots doesn't offer MFA options, unlike the settings for a regular user.
I'm not sure how a MFA workflow for a bot would work, but intuitively (maybe I'm wrong) any extra authentication factor would need to be collocated with the current credentials (a conduit token) so the bot could access both securely. In that case, an attacker getting access to one of the factors would probably get access to both.