I'm a big proponent of the idea of "don't make policies you can't enforce", but it's worth noting that it doesn't say "you can't *automatically* enforce." Would it be ideal if every relevant system automatically enforced a 2FA requirement? Yes. Do we still improve the overall security posture of the project by having a policy that's periodically checked through some semi-manual process? Also yes. We do this with the semi-annual packager activity checks, for example.
Security is always going to be imperfect. Let's at least reduce the exposure. -- Ben Cotton (he/him) TZ=America/Indiana/Indianapolis https://fedoraproject.org/wiki/User:Bcotton -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
