Just replying to the end of this 83 post thread instead of a bunch of
places in it. I was prepping for/traveling to/from at at flock, so I
wasn't able to get to posting back here until now. I was able to talk
to a number of folks about this at flock though. ;)

So, we can surely change the requirement to be MUST (and we probibly
should), but there's a bunch of corner cases and things to note:

- Pushing to src.fedoraproject.org can be done with a oauth token over
  https. If you have one now and you don't have a otp, that token will
  still work after an otp requirement. So, if someone has access to 
  that token, they don't need your otp to push. Likewise if you get one
  after you have a otp, the token will still work independent of that.

- Pushing to src.fedoraproject.org over ssh just requires you use a 
  ssh key that is attached to your account. So if someone has access
  to that ssh private key they don't need your otp. Of course having
  an otp on your account means they couldnt just add their ssh key.
  The new ssh keys that use fido2/etc won't work against
  src.fedoraproject.org because it's RHEL8 and doesn't understand them,
  but we could perhaps setup some requirement for the new forgejo setup
  to need them.

- We don't have any way that I know of to tell ipa that otp is required
  for specific groups. We can look and remove people who don't follow
  the policy however. In the case of provenpackagers we add them rarely
  these days, and it's almost always me that does it, so we could just 
  check before adding new users. For packager it might be more difficult
  since sponsors may not have a way to check, but we could check after 
  the fact via script or something. 

- Indeed if you loose all access to all your otps, you currently have to
  manually email us and do something to prove your are you in order for
  us to clear them. This can be any of: gpg signed emails, ssh access, 
  external verify if we have access to it/trust it, etc. Whatever is 
  available and trustworthy. That said, I would urge everyone with an 
  otp enrolled to... enroll at least one backup one. If you have access
  to ANY otp enrolled in your account you can remove the one you no
  longer have access to, update things/login, etc. The recovery process
  only needs to happen if you have lost access to every otp attached to 
  your account.

kevin
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to