On Thu, 11 Jun 2026 at 14:47, Michael Catanzaro via devel <[email protected]> wrote: > > I use 2FA for basically everything except Fedora. Yet my Fedora account is > one of my highest-value accounts. Compromise a Fedora packager and you can > push malware more or less directly to users. > > I'm afraid Fedora is just not ready for 2FA. Kerberos is currently the > biggest problem. No way would I be willing to enable 2FA before > gnome-online-accounts is able to handle ticket renewals: > https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/work_items/171 > > And even if gnome-online-accounts could theoretically handle 2FA, I still > wouldn't be willing to enable it to see whether it works, because if it > doesn't work there is no way to disable 2FA without requesting admin > intervention. > > Presumably almost everybody agrees that we should eventually require 2FA. But > first we need to get everything working well, and we're not close yet. Then > it ought to be optional for a year or two after that point so we can try it > out without fear that we will be locked in if there are problems, so we can > complete the transition smoothly.
I've been using 2FA on Fedora for years, it's a requirement for sysadmin privs, and it generally works fine for me, at least it's no worse than any other kerberos based 2FA platforms. -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
