Just replying to the end of this 83 post thread instead of a bunch of places in it. I was prepping for/traveling to/from at at flock, so I wasn't able to get to posting back here until now. I was able to talk to a number of folks about this at flock though. ;)
So, we can surely change the requirement to be MUST (and we probibly should), but there's a bunch of corner cases and things to note: - Pushing to src.fedoraproject.org can be done with a oauth token over https. If you have one now and you don't have a otp, that token will still work after an otp requirement. So, if someone has access to that token, they don't need your otp to push. Likewise if you get one after you have a otp, the token will still work independent of that. - Pushing to src.fedoraproject.org over ssh just requires you use a ssh key that is attached to your account. So if someone has access to that ssh private key they don't need your otp. Of course having an otp on your account means they couldnt just add their ssh key. The new ssh keys that use fido2/etc won't work against src.fedoraproject.org because it's RHEL8 and doesn't understand them, but we could perhaps setup some requirement for the new forgejo setup to need them. - We don't have any way that I know of to tell ipa that otp is required for specific groups. We can look and remove people who don't follow the policy however. In the case of provenpackagers we add them rarely these days, and it's almost always me that does it, so we could just check before adding new users. For packager it might be more difficult since sponsors may not have a way to check, but we could check after the fact via script or something. - Indeed if you loose all access to all your otps, you currently have to manually email us and do something to prove your are you in order for us to clear them. This can be any of: gpg signed emails, ssh access, external verify if we have access to it/trust it, etc. Whatever is available and trustworthy. That said, I would urge everyone with an otp enrolled to... enroll at least one backup one. If you have access to ANY otp enrolled in your account you can remove the one you no longer have access to, update things/login, etc. The recovery process only needs to happen if you have lost access to every otp attached to your account. kevin -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
