On Thu, Jun 18, 2026 at 9:01 PM Kevin Fenzi <[email protected]> wrote:
> So, we can surely change the requirement to be MUST (and we probibly > should), but there's a bunch of corner cases and things to note: (is that a "should" or a "MUST" (ha ha)) SHOULD was best the community would seem to accept at the time due to some strong objections to a MUST. > The new ssh keys that use fido2/etc won't work against > src.fedoraproject.org because it's RHEL8 and doesn't understand them, > but we could perhaps setup some requirement for the new forgejo setup > to need them. Is there any resourced plan to upgrade to a RHEL that supports the ssh FIDO2 encryption types? I would love to migrate to a FIDO2 required ssh key (and while I am not a PP, so am probably not a major risk to the community, I like to believe I take security seriously). > - Indeed if you loose all access to all your otps, you currently have to > manually email us and do something to prove your are you in order for > us to clear them. This can be any of: gpg signed emails, ssh access, > external verify if we have access to it/trust it, etc. Whatever is > available and trustworthy. That said, I would urge everyone with an > otp enrolled to... enroll at least one backup one. In some cases a TOTP solution provider may back up the secret to a differently authenticated source (I believe Apple users can backup to the iCloud Keychain, and Google users can use their Google Authenticator cloud backup). Those backups typically require their own validation (including in some cases passkeys) to recover. -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
