On Thu, Jun 11, 2026 at 08:46:45AM -0500, Michael Catanzaro via devel wrote:
> I use 2FA for basically everything *except* Fedora. Yet my Fedora
> account is one of my highest-value accounts. Compromise a Fedora
> packager and you can push malware more or less directly to users.

Yep, we're simply lucky that Fedora hasn't already suffered from
such attacks. Our luck will run out sooner or later and when that
happens, our reputation will be harmed when people see we've known
we've needed 2FA for years & yet not treated it as a priority.
I don't want to wake up to see Fedora in such news headlines :-(

> I'm afraid Fedora is just not ready for 2FA. Kerberos is currently
> the biggest problem. No way would I be willing to enable 2FA before
> gnome-online-accounts is able to handle ticket renewals:
> https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/work_items/171

This GNOME limitation feels very much like a "nice to have" category
item rather than something that should be treated as a blocker. Not
everyone uses GNOME, and IIUC there's still the fallback to the CLI
so this bug is just a usability improvement.

> And even if gnome-online-accounts could theoretically handle
> 2FA, I still wouldn't be willing to enable it to see whether
> it works, because if it doesn't work there is no way to disable
> 2FA without requesting admin intervention.

With mandatory 2FA disabling 2FA is not a concept that would exist.
Re-setting 2FA credentials is needed, but admin intervention isn't
that much different from what's needed in many other services that
use 2FA

It would be better if Fedora had a "recovery tokens" concept like
most other sites do for 2FA thogh.

With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to