On Thu, Jun 11, 2026, at 09:59, Daniel P. Berrangé wrote: > On Thu, Jun 11, 2026 at 08:52:54AM -0500, Michael Catanzaro via devel wrote: >> Also, I'm pretty sure I've written more or less this same >> mail to this list before, possibly several years ago, and >> we've had no progress since then. Unfortunately we're all >> busy with our usual work, and nobody has been prioritizing >> these problems. So: basically the usual explanation for >> how things happen in open source projects. > > No one is motivated to prioritize improving 2FA because it is not > mandatory. Set a deadline for making it mandatory and it'll nudge > someone into making it a priority. >
As much as I would 'love' that this is the one true fix... it is part of a complicated puzzle. The absolute highest priority that pushes various authentication and other changes to being lower is that Fedora "MUST(*)" produce two releases a year with about 6 month regularity, and various composes for I releases, J architectures, K artifacts, and L packages happens every day. In order to do that the build infrastructure is 24x7x365 as much as possible in order that goal is met. Further complications are that the build architecture is spread over M different toolsets and N different sub-authentication methods and O different 'owners' all of who have slightly different takes on 'standard authentication methods'. And finally there are O different reasons developer workflows would be broken and have to be 'worked around'. Anything which slows down builds or makes an already complicated system worse, gets pushed down the queue over higher priority items. Pretty much every time it is said "This time will be different and you have this top priority to work on this over other items" gets a week later "I know we said that, but we really need to make sure that this compose gets out for X reasons so drop whatever you are doing and help" The large IxJxKxLxMxNxO mess makes everything really complicated to put into place. Infrastructure has been trying to replace Nagios with anything else since 2009.. We have been trying to replace/improve other critical infrastructure for about as long. Many of those were listed as 'mandatory' but after the reality of how much had to be fixed/changed/altered/convinced to stop complaining.. it gets put lower as "The Builds Must Flow". (*) MUST is probably too strong a word since it gets missed somewhat.. however any glitch in "oh my build got cancelled", "where is my compose", "why don't you have bigger builders for my oooh so important package with a new CVE." constantly push a "SHOULD" into a "MUST" as being told "No" gets escalated quickly. > Or we could continue ignoring the problem until another Fedora > account's credentials are compromised and does greater damage > that causes Fedora significant reputational harm. > > With regards, > Daniel > -- > |: https://berrange.com ~~ https://hachyderm.io/@berrange :| > |: https://libvirt.org ~~ https://entangle-photo.org :| > |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :| > > -- > _______________________________________________ > devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://forge.fedoraproject.org/infra/tickets/issues/new -- Stephen J Smoogen. Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
