On Tue, Jun 16, 2026 at 07:26:03AM -0400, Stephen J Smoogen wrote:
> 
> 
> On Mon, Jun 15, 2026, at 23:12, Gary Buhrmaster wrote:
> > On Mon, Jun 15, 2026 at 10:20 PM Maxwell G <[email protected]> wrote:
> >
> >> I filed <https://pagure.io/fesco/issue/3618> earlier. It sounds like
> >> it's mostly uncontroversial to require 2FA at least for provenpackagers,
> >> but we still need to figure out how to technically implement this
> >> requirement, so it'd be good to further discuss that here on the list.
> >
> > Given the privileges granted to PPs, I would
> > prefer to believe that most (all?) PPs will conform
> > to any 2FA requirements, or choose to give up
> > those privileges voluntarily if they don't want
> > to do so (if there is an actual deadline) rather
> > than trying to bypass (game) the system (as
> > these are some of the uber-trusted individuals
> > in the community)
> >
> > And while I think all packagers should require
> > 2FA now, requiring it by (say) 2 months for PPs,
> > and 6 months for others could be a reasonable
> > schedule (I made up those numbers, change
> > if there is any consensus).
> >
> 
> 
> Well you are going to need to get all the other parts of
> the release system working first to make 2factor work.
> That could take 2 to 3 years depending on the complexity
> of current and additional systems with on going schedules,
> additional features expected to be added to the Fedora
> system etc. there are a lot of parts which will need to
> either stop if 2fa isn’t there or similar. 
> 
> I mean you could say they all need 2fa but if fedpkg push
> just does things without forcing a second factor or the
> dozen other things which could upload, trigger a build,
> say a build can be pushed to production don’t honor 2fa
> it is security theater

The accounts.fedoraproject.org site supports 2FA at the web login screen.
Enforcing 2FA there is not sufficient to protect the entire of Fedora,
but at the same time, it is also not nothing.

Some Fedora services are primarily, or exclusively, web based and would
benefit from this.

The accounts.fedoraproject.org site is where we can grant membership
of other groups to users. That is meaningful to protect with 2FA IMHO.

We must start with enforcing what we have available today, which is
the accounts.fedoraproject.org login process, while also being honest
about what this can & can't protect today. Plan for other improvements
to be done asynchronously over time.

Waiting for every other service to be "perfectly" protected by 2FA is
a recipe for Fedora to never enable 2FA at all, which is the holding
pattern we've been in for years now.

With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to