On Mon, Jun 15, 2026 at 5:13 AM Tadej Janež <[email protected]> wrote: > > On Thu, 2026-06-11 at 10:04 +0100, Daniel P. Berrangé wrote: > > > > How many of our PP have got 2FA enabled today ? > > > > When will we get around to mandating 2FA for all contribtors ? > > > > Will we ever augment OTP support with FIDO2/U2F to enable use > > of hardware tokens ? > > > > GitHub has required 2FA since 2023 > > GitLab has required 2FA this year > > PyPI has required 2FA since 2024 > > > > IMHO it is not a good look that Fedora continues to allow passwords > > alone, given we know we are a high value target, and the consequences > > can be potentially far reaching. 2FA isn't a magic solution to all > > threats, but continuing to allow passwords alone makes compromising > > account credentials too easy. > > I agree and fully support implementing 2FA as a requirement for all > Fedora packagers. > > I would like to point out another place where Fedora as a project is > currently regressing its security (!). > The new Fedora Forge doesn't support time-limited access tokens at all: > https://forge.fedoraproject.org/forge/forge/issues/621 > This could soon become another attack vector for Fedora-targeted supply > chain attacks. >
It also didn't do verification of email addresses added to an account last I checked. -- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
