I'm a big proponent of the idea of "don't make policies you can't
enforce", but it's worth noting that it doesn't say "you can't
*automatically* enforce." Would it be ideal if every relevant system
automatically enforced a 2FA requirement? Yes. Do we still improve the
overall security posture of the project by having a policy that's
periodically checked through some semi-manual process? Also yes. We do
this with the semi-annual packager activity checks, for example.

Security is always going to be imperfect. Let's at least reduce the exposure.

-- 
Ben Cotton (he/him)
TZ=America/Indiana/Indianapolis
https://fedoraproject.org/wiki/User:Bcotton
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to