Offlist

Accounts supports it at the scale it is used currently. I have seen it fall 
over a lot at that.. and trying to fix it to scale has been part of the holding 
pattern. A lot of infra is barely held together by baling wire and duct tape 
and Kevin Fenzi never resting. 

I have been wanting 2 factor for everything since we first implemented but I 
also have seen how delicate the system can be. 

On Tue, Jun 16, 2026, at 07:43, Daniel P. Berrangé wrote:
> On Tue, Jun 16, 2026 at 07:26:03AM -0400, Stephen J Smoogen wrote:
>> 
>> 
>> On Mon, Jun 15, 2026, at 23:12, Gary Buhrmaster wrote:
>> > On Mon, Jun 15, 2026 at 10:20 PM Maxwell G <[email protected]> wrote:
>> >
>> >> I filed <https://pagure.io/fesco/issue/3618> earlier. It sounds like
>> >> it's mostly uncontroversial to require 2FA at least for provenpackagers,
>> >> but we still need to figure out how to technically implement this
>> >> requirement, so it'd be good to further discuss that here on the list.
>> >
>> > Given the privileges granted to PPs, I would
>> > prefer to believe that most (all?) PPs will conform
>> > to any 2FA requirements, or choose to give up
>> > those privileges voluntarily if they don't want
>> > to do so (if there is an actual deadline) rather
>> > than trying to bypass (game) the system (as
>> > these are some of the uber-trusted individuals
>> > in the community)
>> >
>> > And while I think all packagers should require
>> > 2FA now, requiring it by (say) 2 months for PPs,
>> > and 6 months for others could be a reasonable
>> > schedule (I made up those numbers, change
>> > if there is any consensus).
>> >
>> 
>> 
>> Well you are going to need to get all the other parts of
>> the release system working first to make 2factor work.
>> That could take 2 to 3 years depending on the complexity
>> of current and additional systems with on going schedules,
>> additional features expected to be added to the Fedora
>> system etc. there are a lot of parts which will need to
>> either stop if 2fa isn’t there or similar. 
>> 
>> I mean you could say they all need 2fa but if fedpkg push
>> just does things without forcing a second factor or the
>> dozen other things which could upload, trigger a build,
>> say a build can be pushed to production don’t honor 2fa
>> it is security theater
>
> The accounts.fedoraproject.org site supports 2FA at the web login screen.
> Enforcing 2FA there is not sufficient to protect the entire of Fedora,
> but at the same time, it is also not nothing.
>
> Some Fedora services are primarily, or exclusively, web based and would
> benefit from this.
>
> The accounts.fedoraproject.org site is where we can grant membership
> of other groups to users. That is meaningful to protect with 2FA IMHO.
>
> We must start with enforcing what we have available today, which is
> the accounts.fedoraproject.org login process, while also being honest
> about what this can & can't protect today. Plan for other improvements
> to be done asynchronously over time.
>
> Waiting for every other service to be "perfectly" protected by 2FA is
> a recipe for Fedora to never enable 2FA at all, which is the holding
> pattern we've been in for years now.
>
> With regards,
> Daniel
> -- 
> |: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
> |: https://libvirt.org          ~~          https://entangle-photo.org :|
> |: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|
>
> -- 
> _______________________________________________
> devel mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/[email protected]
> Do not reply to spam, report it: 
> https://forge.fedoraproject.org/infra/tickets/issues/new

-- 
Stephen J Smoogen.
Let us be kind to one another, for most of us are fighting a hard battle. -- 
Ian MacClaren
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to