On Thu, 2026-06-11 at 08:46 -0500, Michael Catanzaro via devel wrote:
> Presumably almost everybody agrees that we should eventually require 2FA. But 
> first we need to get everything working well

Hot take, but: maybe we shouldn't.

Maybe we should make people use 2FA anyway. For two reasons:

1) I'd argue we are at a point where the prevalence of real-world
supply-chain attacks makes it sufficiently important that we need to do
it *even if the experience is bad*.
2) Bluntly stated, making people use an open source thing that sucks is
a great way to make it better. Fedora has believed this for a long
time, we just usually say it in nicer words, but that's what we *mean*.
That's why we shipped GNOME 3.0 and systemd in the same release![0]

We've been sitting on our hands saying "yeah, well, mandatory 2FA would
be great but somebody needs to fix <long wishlist> first" for years
now. It clearly isn't working. We need to do something else.

I've had 2FA turned on on my account for years, and I deal with it.
Would it be nice if g-o-a handled ticket renewal? Sure. Is it a
dealbreaker? No. I have `kinit -R [email protected]` in my
shell history. I run it once a day. It's fine.

We really, really, really need to mandate 2FA for proven packagers at
minimum.

Then we need to fix
https://forge.fedoraproject.org/forge/forge/issues/27 and mandate that
proven packagers use a secured ssh key.

Then we need to extend that to all packagers.

[0] https://fedoraproject.org/wiki/Releases/15/FeatureList
-- 
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @[email protected]
https://www.happyassassin.net



-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to