On Mon, Jun 22, 2026 at 03:06:13PM +0100, Daniel P. Berrangé wrote:
> On Thu, Jun 18, 2026 at 02:01:00PM -0700, Kevin Fenzi wrote:
> > So, we can surely change the requirement to be MUST (and we probibly
> > should), but there's a bunch of corner cases and things to note:
> 
> snip
> 
> > - We don't have any way that I know of to tell ipa that otp is required
> >   for specific groups. We can look and remove people who don't follow
> >   the policy however. In the case of provenpackagers we add them rarely
> >   these days, and it's almost always me that does it, so we could just 
> >   check before adding new users. For packager it might be more difficult
> >   since sponsors may not have a way to check, but we could check after 
> >   the fact via script or something.
> 
> Could this be a reason for mandating 2FA for /all/ accounts rather
> than selectively based on groups.
> 
> I presume we would still need work though to put up an enforcement
> flow upon login, to block further account use until 2FA is enabled.
> ie allow access to accounts.fedoraproject.org preferences page, but
> not grant access to any other service.

Sure, thats something we could do. I suspect it would really annoy a lot
of people who only have fedora accounts to login to
discussions/matrix/copr, etc.

If we can't even decide to do it for packaging groups, expanding it to
everything as a first cut seems unwise to me.

> I don't suppose there's a low effort way to introduce a "recovery tokens"
> feature for 2FA ?

Not that I am aware of. 

kevin
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to