On Tue, Jun 16, 2026 at 03:12:21AM +0000, Gary Buhrmaster wrote:
> On Mon, Jun 15, 2026 at 10:20 PM Maxwell G <[email protected]> wrote:
> 
> > I filed <https://pagure.io/fesco/issue/3618> earlier. It sounds like
> > it's mostly uncontroversial to require 2FA at least for provenpackagers,
> > but we still need to figure out how to technically implement this
> > requirement, so it'd be good to further discuss that here on the list.
> 
> Given the privileges granted to PPs, I would
> prefer to believe that most (all?) PPs will conform
> to any 2FA requirements, or choose to give up
> those privileges voluntarily if they don't want
> to do so (if there is an actual deadline) rather
> than trying to bypass (game) the system (as
> these are some of the uber-trusted individuals
> in the community)

IIUC from the group membership, it looks like we have on the order of
120 provenpackagers.  Do we know how many currently have 2FA enabled ?
This isn't something that is exposed in FAS pages.

> And while I think all packagers should require
> 2FA now, requiring it by (say) 2 months for PPs,
> and 6 months for others could be a reasonable
> schedule (I made up those numbers, change
> if there is any consensus).

Yes, IMHO, the request should be for FESCO to set a desired aspirational
timeframe for rollout across all accounts.

Other communities which did a staged rollout to "top 100" maintainers
first quickly followed up to make it universal, as there is still plenty
of impact from account takeover outside the so called "top 100" accounts.

Starting with a mandate for PPs in 2 months, extending to 6 months
for all is a reasonable kind of approach to plan for, refining if
required later.

With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to