On Thu, Jun 11, 2026 at 10:04:45AM +0100, Daniel P. Berrangé wrote: > On Wed, May 27, 2026 at 12:15:44PM -0700, Adam Williamson wrote: > > On Wed, 2026-05-27 at 10:49 -0700, Adam Williamson wrote: > > > Hi, Nathan. I'm CCing devel@ and test@ so folks are aware this has been > > > going on. > > > > Update on this: Nathan got back to me and says his credentials were > > compromised and he was not the one behind this AI system. > > If we take them at their word, that this was indeed a case of > password compromise leading to account takeover, then this is > rather an embarrasing situation for Fedora IMHO. > > IIRC, we last talked about mandating 2FA for all contributors > after the xz attack 2 years ago: > > > https://lists.fedoraproject.org/archives/list/[email protected]/thread/YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV/#YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV > > and AFAIR the only outcome of that was a weak docs statement that > Provenpackager "should" have 2FA enabled > > https://pagure.io/fesco/issue/3186 > https://forge.fedoraproject.org/fesco/docs/pulls/90 > > How many of our PP have got 2FA enabled today ?
Kevin answered this in a ticket[1] - we have 118 PP, and 59 on them do not have 2FA enabled. That's probably better than I expected, given we merely say "should" and haven't actively reminded PP to do this AFAIK. With regards, Daniel [1] https://pagure.io/fesco/issue/3618 -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :| -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
