On Чцв, 11 чэр 2026, Michael Catanzaro via devel wrote:
I use 2FA for basically everything *except* Fedora. Yet my Fedora
account is one of my highest-value accounts. Compromise a Fedora
packager and you can push malware more or less directly to users.
I'm afraid Fedora is just not ready for 2FA. Kerberos is currently the
biggest problem. No way would I be willing to enable 2FA before
gnome-online-accounts is able to handle ticket renewals:
https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/work_items/171
And even if gnome-online-accounts could theoretically handle 2FA, I
still wouldn't be willing to enable it to see whether it works, because
if it doesn't work there is no way to disable 2FA without requesting
admin intervention.
Presumably almost everybody agrees that we should eventually require
2FA. But first we need to get everything working well, and we're not
close yet. Then it ought to be optional for a year or two *after* that
point so we can try it out without fear that we will be locked in if
there are problems, so we can complete the transition smoothly.
This is purely on GNOME folks side, Michael. I submitted a working
solution two years ago as
https://gitlab.gnome.org/GNOME/gnome-online-accounts/-/merge_requests/250
and it stuck on GOA developers side.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://forge.fedoraproject.org/infra/tickets/issues/new