On Thu, 2026-06-11 at 08:46 -0500, Michael Catanzaro via devel wrote: > Presumably almost everybody agrees that we should eventually require 2FA. But > first we need to get everything working well
Hot take, but: maybe we shouldn't. Maybe we should make people use 2FA anyway. For two reasons: 1) I'd argue we are at a point where the prevalence of real-world supply-chain attacks makes it sufficiently important that we need to do it *even if the experience is bad*. 2) Bluntly stated, making people use an open source thing that sucks is a great way to make it better. Fedora has believed this for a long time, we just usually say it in nicer words, but that's what we *mean*. That's why we shipped GNOME 3.0 and systemd in the same release![0] We've been sitting on our hands saying "yeah, well, mandatory 2FA would be great but somebody needs to fix <long wishlist> first" for years now. It clearly isn't working. We need to do something else. I've had 2FA turned on on my account for years, and I deal with it. Would it be nice if g-o-a handled ticket renewal? Sure. Is it a dealbreaker? No. I have `kinit -R [email protected]` in my shell history. I run it once a day. It's fine. We really, really, really need to mandate 2FA for proven packagers at minimum. Then we need to fix https://forge.fedoraproject.org/forge/forge/issues/27 and mandate that proven packagers use a secured ssh key. Then we need to extend that to all packagers. [0] https://fedoraproject.org/wiki/Releases/15/FeatureList -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @[email protected] https://www.happyassassin.net -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
