On Thu, 11 Jun 2026 at 14:47, Michael Catanzaro via devel
<[email protected]> wrote:
>
> I use 2FA for basically everything except Fedora. Yet my Fedora account is 
> one of my highest-value accounts. Compromise a Fedora packager and you can 
> push malware more or less directly to users.
>
> I'm afraid Fedora is just not ready for 2FA. Kerberos is currently the 
> biggest problem. No way would I be willing to enable 2FA before 
> gnome-online-accounts is able to handle ticket renewals: 
> https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/work_items/171
>
> And even if gnome-online-accounts could theoretically handle 2FA, I still 
> wouldn't be willing to enable it to see whether it works, because if it 
> doesn't work there is no way to disable 2FA without requesting admin 
> intervention.
>
> Presumably almost everybody agrees that we should eventually require 2FA. But 
> first we need to get everything working well, and we're not close yet. Then 
> it ought to be optional for a year or two after that point so we can try it 
> out without fear that we will be locked in if there are problems, so we can 
> complete the transition smoothly.

I've been using 2FA on Fedora for years, it's a requirement for
sysadmin privs, and it generally works fine for me, at least it's no
worse than any other kerberos based 2FA platforms.
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to