On Mon, Jun 22, 2026 at 04:32:20PM +0000, Gary Buhrmaster wrote: > On Mon, Jun 22, 2026 at 3:43 PM Daniel P. Berrangé <[email protected]> > wrote: > > IMHO emailing admins is a process of last resort. You definitely need > > that to be possible, but you don't want users to have to use it as the > > primary process. > > > > When I talk of recovery tokens, I mean a system that is "self service" > > that does not create a burden / bottleneck on our admins long term. > > I think that is a great goal, but how often does the > need to recover a token actually happen?[0] Sure, > we only have a small number of people with 2FA > today, but the raw number of recovery incidents > should be helpful to know (and can be improperly > extrapolated to estimate the future load on > the admins).
That is a good question. Let's say we have 10 reset requests per year. Designing, implementing, and perfecting the system to do this seems completely overkill. Also, going through releng might be good for security. On Mon, Jun 22, 2026 at 12:18:13PM -0400, Stephen J Smoogen wrote: > A problem in the past of making this self-service was that all of > the methods which were 'easy' to implement were also 'easy' to game > into a takeover without much work. Since we were putting this in > place for `sysadmin-main` and possibly for `proven-packagers` this > meant the easy self-service would allow for complete project > compromise.. Trying to make it harder ended up with a larger amount > of work no one had a remit to prioritize. Yep. I'd trust one of our folks to be better at spotting a potential takeover attempt then some automated system. E.g. releng knows that any Red Hatter should be using the RH authentication system and anything else requires extra scrutiny. Zbyszek -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
