> >> I filed <https://pagure.io/fesco/issue/3618> earlier. It sounds like > >> it's mostly uncontroversial to require 2FA at least for provenpackagers, > >> but we still need to figure out how to technically implement this > >> requirement, so it'd be good to further discuss that here on the list. > > > > Given the privileges granted to PPs, I would > > prefer to believe that most (all?) PPs will conform > > to any 2FA requirements, or choose to give up > > those privileges voluntarily if they don't want > > to do so (if there is an actual deadline) rather > > than trying to bypass (game) the system (as > > these are some of the uber-trusted individuals > > in the community) > > > > And while I think all packagers should require > > 2FA now, requiring it by (say) 2 months for PPs, > > and 6 months for others could be a reasonable > > schedule (I made up those numbers, change > > if there is any consensus). > > > > > Well you are going to need to get all the other parts of the release system > working first to make 2factor work. That could take 2 to 3 years depending on > the complexity of current and additional systems with on going schedules, > additional features expected to be added to the Fedora system etc. there are > a lot of parts which will need to either stop if 2fa isn’t there or similar.
The release process should be using service accounts or API keys with different policies surely. > I mean you could say they all need 2fa but if fedpkg push just does things > without forcing a second factor or the dozen other things which could upload, > trigger a build, say a build can be pushed to production don’t honor 2fa it > is security theater Again a lot of these already work with API keys, like pagure (and presumably forge) has API keys even for end users that expire. > > It would seem to me that someone (with the > > appropriate authorizations) could first check > > with FAS to see if an individual has 2FA > > enabled on the account, with notifications > > if not enabled, and as the deadline passes, > > removal from the packager(s) groups. Likely > > a number of manual steps at the moment, > > but probably doable for the one-off change > > (and being granted packager status in the > > future would require 2FA). > > -- > > _______________________________________________ > > devel mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/[email protected] > > Do not reply to spam, report it: > > https://forge.fedoraproject.org/infra/tickets/issues/new > > -- > Stephen J Smoogen. > Let us be kind to one another, for most of us are fighting a hard battle. -- > Ian MacClaren > -- > _______________________________________________ > devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://forge.fedoraproject.org/infra/tickets/issues/new -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
