On Mon, Jun 15, 2026, at 23:12, Gary Buhrmaster wrote: > On Mon, Jun 15, 2026 at 10:20 PM Maxwell G <[email protected]> wrote: > >> I filed <https://pagure.io/fesco/issue/3618> earlier. It sounds like >> it's mostly uncontroversial to require 2FA at least for provenpackagers, >> but we still need to figure out how to technically implement this >> requirement, so it'd be good to further discuss that here on the list. > > Given the privileges granted to PPs, I would > prefer to believe that most (all?) PPs will conform > to any 2FA requirements, or choose to give up > those privileges voluntarily if they don't want > to do so (if there is an actual deadline) rather > than trying to bypass (game) the system (as > these are some of the uber-trusted individuals > in the community) > > And while I think all packagers should require > 2FA now, requiring it by (say) 2 months for PPs, > and 6 months for others could be a reasonable > schedule (I made up those numbers, change > if there is any consensus). >
Well you are going to need to get all the other parts of the release system working first to make 2factor work. That could take 2 to 3 years depending on the complexity of current and additional systems with on going schedules, additional features expected to be added to the Fedora system etc. there are a lot of parts which will need to either stop if 2fa isn’t there or similar. I mean you could say they all need 2fa but if fedpkg push just does things without forcing a second factor or the dozen other things which could upload, trigger a build, say a build can be pushed to production don’t honor 2fa it is security theater > It would seem to me that someone (with the > appropriate authorizations) could first check > with FAS to see if an individual has 2FA > enabled on the account, with notifications > if not enabled, and as the deadline passes, > removal from the packager(s) groups. Likely > a number of manual steps at the moment, > but probably doable for the one-off change > (and being granted packager status in the > future would require 2FA). > -- > _______________________________________________ > devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://forge.fedoraproject.org/infra/tickets/issues/new -- Stephen J Smoogen. Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
