On Mon, 2026-06-15 at 09:23 +0100, Daniel P. Berrangé wrote:
> On Sat, Jun 13, 2026 at 02:51:01PM +0100, Peter Robinson wrote:
> > On Sat, 13 Jun 2026 at 09:57, Adam Williamson
> > <[email protected]> wrote:
> > > 
> > > On Sat, 2026-06-13 at 04:04 +0000, Gary Buhrmaster wrote:
> > > > On Sat, Jun 13, 2026 at 12:01 AM Michael Catanzaro via devel
> > > > <[email protected]> wrote:
> > > > > 
> > > > > OK, I'm convinced you're right. It's time.
> > > > > --
> > > > 
> > > > So, to the "management", how do we
> > > > make such a 2FA requirement happen?
> > > > I presume this needs to go through a
> > > > process to approve any such changes?
> > > 
> > > I *think* a general 2FA requirement for packagers or provenpackagers
> > > should go to FESCo? There's FPC, but I think FPC's remit is the
> > > packaging guidelines, not wider rules like this.
> > 
> > Or possibly council if it's a policy thing?
> 
> Last time this was proposed it went to FESCO
> 
>   https://pagure.io/fesco/issue/3186
> 
> I would see Council's role as setting a strategic plan "Secure the
> Fedora Community", while FESCO would still own the impl of such a
> plan, of which 2FA for packager accounts is one aspect. So I'd be
> inclined to re-file ticket 3186

In person at Flock, Kevin noted that even if FESCo were to declare "We
must Require 2FA!", it's technically difficult to really implement this
ATM. Apparently there's no simple way to actually enforce that 2FA is
enabled for commits to dist-git or package builds. There's a sort of
hacky way we can "require 2FA" for very small groups (like sysadmin-
main) - an after-the-fact script that can tell whether an action that
*happened* was done with 2FA, and then we can go yell at people who
didn't follow the rule. But that's probably not really going to scale
well to a bigger group like "packagers" or "provenpackagers".

So I didn't file the ticket yet for that reason. I'll talk more with
Kevin about what might be a way to move forward here.
-- 
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @[email protected]
https://www.happyassassin.net



-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to