On Mon, Jun 15, 2026 at 5:13 AM Tadej Janež <[email protected]> wrote:
>
> On Thu, 2026-06-11 at 10:04 +0100, Daniel P. Berrangé wrote:
> >
> > How many of our PP have got 2FA enabled today ?
> >
> > When will we get around to mandating 2FA for all contribtors ?
> >
> > Will we ever augment OTP support with FIDO2/U2F to enable use
> > of hardware tokens ?
> >
> > GitHub has required 2FA since 2023
> > GitLab has required 2FA this year
> > PyPI has required 2FA since 2024
> >
> > IMHO it is not a good look that Fedora continues to allow passwords
> > alone, given we know we are a high value target, and the consequences
> > can be potentially far reaching. 2FA isn't a magic solution to all
> > threats, but continuing to allow passwords alone makes compromising
> > account credentials too easy.
>
> I agree and fully support implementing 2FA as a requirement for all
> Fedora packagers.
>
> I would like to point out another place where Fedora as a project is
> currently regressing its security (!).
> The new Fedora Forge doesn't support time-limited access tokens at all:
> https://forge.fedoraproject.org/forge/forge/issues/621
> This could soon become another attack vector for Fedora-targeted supply
> chain attacks.
>

It also didn't do verification of email addresses added to an account
last I checked.


-- 
真実はいつも一つ!/ Always, there's only one truth!
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to