Offlist Accounts supports it at the scale it is used currently. I have seen it fall over a lot at that.. and trying to fix it to scale has been part of the holding pattern. A lot of infra is barely held together by baling wire and duct tape and Kevin Fenzi never resting.
I have been wanting 2 factor for everything since we first implemented but I also have seen how delicate the system can be. On Tue, Jun 16, 2026, at 07:43, Daniel P. Berrangé wrote: > On Tue, Jun 16, 2026 at 07:26:03AM -0400, Stephen J Smoogen wrote: >> >> >> On Mon, Jun 15, 2026, at 23:12, Gary Buhrmaster wrote: >> > On Mon, Jun 15, 2026 at 10:20 PM Maxwell G <[email protected]> wrote: >> > >> >> I filed <https://pagure.io/fesco/issue/3618> earlier. It sounds like >> >> it's mostly uncontroversial to require 2FA at least for provenpackagers, >> >> but we still need to figure out how to technically implement this >> >> requirement, so it'd be good to further discuss that here on the list. >> > >> > Given the privileges granted to PPs, I would >> > prefer to believe that most (all?) PPs will conform >> > to any 2FA requirements, or choose to give up >> > those privileges voluntarily if they don't want >> > to do so (if there is an actual deadline) rather >> > than trying to bypass (game) the system (as >> > these are some of the uber-trusted individuals >> > in the community) >> > >> > And while I think all packagers should require >> > 2FA now, requiring it by (say) 2 months for PPs, >> > and 6 months for others could be a reasonable >> > schedule (I made up those numbers, change >> > if there is any consensus). >> > >> >> >> Well you are going to need to get all the other parts of >> the release system working first to make 2factor work. >> That could take 2 to 3 years depending on the complexity >> of current and additional systems with on going schedules, >> additional features expected to be added to the Fedora >> system etc. there are a lot of parts which will need to >> either stop if 2fa isn’t there or similar. >> >> I mean you could say they all need 2fa but if fedpkg push >> just does things without forcing a second factor or the >> dozen other things which could upload, trigger a build, >> say a build can be pushed to production don’t honor 2fa >> it is security theater > > The accounts.fedoraproject.org site supports 2FA at the web login screen. > Enforcing 2FA there is not sufficient to protect the entire of Fedora, > but at the same time, it is also not nothing. > > Some Fedora services are primarily, or exclusively, web based and would > benefit from this. > > The accounts.fedoraproject.org site is where we can grant membership > of other groups to users. That is meaningful to protect with 2FA IMHO. > > We must start with enforcing what we have available today, which is > the accounts.fedoraproject.org login process, while also being honest > about what this can & can't protect today. Plan for other improvements > to be done asynchronously over time. > > Waiting for every other service to be "perfectly" protected by 2FA is > a recipe for Fedora to never enable 2FA at all, which is the holding > pattern we've been in for years now. > > With regards, > Daniel > -- > |: https://berrange.com ~~ https://hachyderm.io/@berrange :| > |: https://libvirt.org ~~ https://entangle-photo.org :| > |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :| > > -- > _______________________________________________ > devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://forge.fedoraproject.org/infra/tickets/issues/new -- Stephen J Smoogen. Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
