On Thu, Jun 11, 2026 at 03:25:17PM +0200, Fabio Valentini wrote: > On Thu, Jun 11, 2026 at 11:05 AM Daniel P. Berrangé <[email protected]> > wrote: > > > > IMHO it is not a good look that Fedora continues to allow passwords > > alone, given we know we are a high value target, and the consequences > > can be potentially far reaching. 2FA isn't a magic solution to all > > threats, but continuing to allow passwords alone makes compromising > > account credentials too easy. > > Don't forget that the actions here happened on Bugzilla, which uses a > separate account, and is not necessarily connected to people's FAS > accounts (and on GitHub, also not FAS related). I'm not sure that the > "classic" bugzilla login supports 2FA *at all* (while FAS does at > least to some degree).
Yes, but the inability of BZ to offer this, doesn't mean we should ignore the possiblity to mandate 2FA for FAS where we can offer it. Possibly BZ will become less relevent if we adopt the issue tracker built into forge.fedoraproject.org instead. With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :| -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
