On Mon, Jun 15, 2026 at 10:20 PM Maxwell G <[email protected]> wrote:

> I filed <https://pagure.io/fesco/issue/3618> earlier. It sounds like
> it's mostly uncontroversial to require 2FA at least for provenpackagers,
> but we still need to figure out how to technically implement this
> requirement, so it'd be good to further discuss that here on the list.

Given the privileges granted to PPs, I would
prefer to believe that most (all?) PPs will conform
to any 2FA requirements, or choose to give up
those privileges voluntarily if they don't want
to do so (if there is an actual deadline) rather
than trying to bypass (game) the system (as
these are some of the uber-trusted individuals
in the community)

And while I think all packagers should require
2FA now, requiring it by (say) 2 months for PPs,
and 6 months for others could be a reasonable
schedule (I made up those numbers, change
if there is any consensus).

It would seem to me that someone (with the
appropriate authorizations) could first check
with FAS to see if an individual has 2FA
enabled on the account, with notifications
if not enabled, and as the deadline passes,
removal from the packager(s) groups.  Likely
a number of manual steps at the moment,
but probably doable for the one-off change
(and being granted packager status in the
future would require 2FA).
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to