On Mon, Jun 15, 2026, at 23:12, Gary Buhrmaster wrote:
> On Mon, Jun 15, 2026 at 10:20 PM Maxwell G <[email protected]> wrote:
>
>> I filed <https://pagure.io/fesco/issue/3618> earlier. It sounds like
>> it's mostly uncontroversial to require 2FA at least for provenpackagers,
>> but we still need to figure out how to technically implement this
>> requirement, so it'd be good to further discuss that here on the list.
>
> Given the privileges granted to PPs, I would
> prefer to believe that most (all?) PPs will conform
> to any 2FA requirements, or choose to give up
> those privileges voluntarily if they don't want
> to do so (if there is an actual deadline) rather
> than trying to bypass (game) the system (as
> these are some of the uber-trusted individuals
> in the community)
>
> And while I think all packagers should require
> 2FA now, requiring it by (say) 2 months for PPs,
> and 6 months for others could be a reasonable
> schedule (I made up those numbers, change
> if there is any consensus).
>


Well you are going to need to get all the other parts of the release system 
working first to make 2factor work. That could take 2 to 3 years depending on 
the complexity of current and additional systems with on going schedules, 
additional features expected to be added to the Fedora system etc. there are a 
lot of parts which will need to either stop if 2fa isn’t there or similar. 

I mean you could say they all need 2fa but if fedpkg push just does things 
without forcing a second factor or the dozen other things which could upload, 
trigger a build, say a build can be pushed to production don’t honor 2fa it is 
security theater 



> It would seem to me that someone (with the
> appropriate authorizations) could first check
> with FAS to see if an individual has 2FA
> enabled on the account, with notifications
> if not enabled, and as the deadline passes,
> removal from the packager(s) groups.  Likely
> a number of manual steps at the moment,
> but probably doable for the one-off change
> (and being granted packager status in the
> future would require 2FA).
> -- 
> _______________________________________________
> devel mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/[email protected]
> Do not reply to spam, report it: 
> https://forge.fedoraproject.org/infra/tickets/issues/new

-- 
Stephen J Smoogen.
Let us be kind to one another, for most of us are fighting a hard battle. -- 
Ian MacClaren
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to