On Mon, Jun 15, 2026 at 10:20 PM Maxwell G <[email protected]> wrote:
> I filed <https://pagure.io/fesco/issue/3618> earlier. It sounds like > it's mostly uncontroversial to require 2FA at least for provenpackagers, > but we still need to figure out how to technically implement this > requirement, so it'd be good to further discuss that here on the list. Given the privileges granted to PPs, I would prefer to believe that most (all?) PPs will conform to any 2FA requirements, or choose to give up those privileges voluntarily if they don't want to do so (if there is an actual deadline) rather than trying to bypass (game) the system (as these are some of the uber-trusted individuals in the community) And while I think all packagers should require 2FA now, requiring it by (say) 2 months for PPs, and 6 months for others could be a reasonable schedule (I made up those numbers, change if there is any consensus). It would seem to me that someone (with the appropriate authorizations) could first check with FAS to see if an individual has 2FA enabled on the account, with notifications if not enabled, and as the deadline passes, removal from the packager(s) groups. Likely a number of manual steps at the moment, but probably doable for the one-off change (and being granted packager status in the future would require 2FA). -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
