V Thu, Jun 18, 2026 at 02:01:00PM -0700, Kevin Fenzi napsal(a):
> Just replying to the end of this 83 post thread instead of a bunch of
> places in it. I was prepping for/traveling to/from at at flock, so I
> wasn't able to get to posting back here until now. I was able to talk
> to a number of folks about this at flock though. ;)
> 
> So, we can surely change the requirement to be MUST (and we probibly
> should), but there's a bunch of corner cases and things to note:
> 
> - Pushing to src.fedoraproject.org can be done with a oauth token over
>   https. If you have one now and you don't have a otp, that token will
>   still work after an otp requirement. So, if someone has access to 
>   that token, they don't need your otp to push. Likewise if you get one
>   after you have a otp, the token will still work independent of that.
> 
> - Pushing to src.fedoraproject.org over ssh just requires you use a 
>   ssh key that is attached to your account. So if someone has access
>   to that ssh private key they don't need your otp.

OTP with a seed stored on the computer is still an OTP and it does not differ
from a private SSH key stored on the computer.

If the policy wants to deliver that OTP is stronger than an SSH key, then the
policy should mandate the OTP seed to be stored off the computer (in legal
speak: "off the device you access Fedora Project services from").

-- Petr

Attachment: signature.asc
Description: PGP signature

-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to