On Wed, Jul 1, 2026 at 9:33 AM Daniel P. Berrangé <[email protected]>
wrote:

> On Tue, Jun 30, 2026 at 10:42:59AM -0600, Brendan Conoboy wrote:
> > - 2FA for all packagers: My team was working on a proposal when FESCo
> > invented a lesser process for the change scoped to proven packagers.  We
> > assumed the full formal process was needed, but when contemplating
> > something similar, FESCo choose a simpler path. We would have engaged
> > sooner if we'd known there was a lower bar.
>
> FWIW, the use of a directly filed FESCO ticket to decide on 2FA policy
> was consistent with the previous way FESCO handled a suggestion to
> mandate 2FA two years ago shortly after the xz incident.
>
> A rollout of 2FA to PP is merely a starting point. We still need a
> formal proposal for rolling it out more broadly.
>

Yes, it appears going that way would have been fine, but evidently it
didn't need to be that formal.  We view the M2FA4PP decision (grin) as a
positive development, as it will surface the issues that need to be managed
when we propose including a broader set of groups in the mandate.  In the
absence of a documented process, discussion usually gets us where we want
go, but good process gets us there faster with greater buy-in.  So, nothing
bad happened here.  But something *good* would have happened sooner if we'd
known a lower bar was an acceptable way to start things out.  Maxwell's
suggestion for a pre-feedback norm would help in cases like this.

-- 
Brendan Conoboy / Community Linux Engineering / Red Hat
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to