> >> I filed <https://pagure.io/fesco/issue/3618> earlier. It sounds like
> >> it's mostly uncontroversial to require 2FA at least for provenpackagers,
> >> but we still need to figure out how to technically implement this
> >> requirement, so it'd be good to further discuss that here on the list.
> >
> > Given the privileges granted to PPs, I would
> > prefer to believe that most (all?) PPs will conform
> > to any 2FA requirements, or choose to give up
> > those privileges voluntarily if they don't want
> > to do so (if there is an actual deadline) rather
> > than trying to bypass (game) the system (as
> > these are some of the uber-trusted individuals
> > in the community)
> >
> > And while I think all packagers should require
> > 2FA now, requiring it by (say) 2 months for PPs,
> > and 6 months for others could be a reasonable
> > schedule (I made up those numbers, change
> > if there is any consensus).
> >
>
>
> Well you are going to need to get all the other parts of the release system 
> working first to make 2factor work. That could take 2 to 3 years depending on 
> the complexity of current and additional systems with on going schedules, 
> additional features expected to be added to the Fedora system etc. there are 
> a lot of parts which will need to either stop if 2fa isn’t there or similar.

The release process should be using service accounts or API keys with
different policies surely.

> I mean you could say they all need 2fa but if fedpkg push just does things 
> without forcing a second factor or the dozen other things which could upload, 
> trigger a build, say a build can be pushed to production don’t honor 2fa it 
> is security theater

Again a lot of these already work with API keys, like pagure (and
presumably forge) has API keys even for end users that expire.

> > It would seem to me that someone (with the
> > appropriate authorizations) could first check
> > with FAS to see if an individual has 2FA
> > enabled on the account, with notifications
> > if not enabled, and as the deadline passes,
> > removal from the packager(s) groups.  Likely
> > a number of manual steps at the moment,
> > but probably doable for the one-off change
> > (and being granted packager status in the
> > future would require 2FA).
> > --
> > _______________________________________________
> > devel mailing list -- [email protected]
> > To unsubscribe send an email to [email protected]
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedoraproject.org/archives/list/[email protected]
> > Do not reply to spam, report it:
> > https://forge.fedoraproject.org/infra/tickets/issues/new
>
> --
> Stephen J Smoogen.
> Let us be kind to one another, for most of us are fighting a hard battle. -- 
> Ian MacClaren
> --
> _______________________________________________
> devel mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/[email protected]
> Do not reply to spam, report it: 
> https://forge.fedoraproject.org/infra/tickets/issues/new
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to