On 2022-10-25 20:53, Albert Astals Cid wrote:
> > Hi,
> >
> > whereas I can see the security benefit, this raises the hurdle for one
> > time contributors again a lot.
> >
> > Before you already had to register to get your merge request,
> > now you need to setup this too (or at least soon it is mandatory).
> >
> > I am not sure this is such a good thing.
> >
> > I see a point that one wants to avoid that e.g. somebody steals my
> > account that has enough rights to delete all branches in the Kate
> > repository via the web frontend.
> >
> > Could the 2FA stuff perhaps be limited to people with developer role or
> > such?
>
> Yes this would be ideal. We don't need to require 2fa for people who just
> started contributing or want to give some feedback on a MR/ticket.
>
> This should be possible with the following features:
> https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce
> -2 fa-for-all-users-in-a-group
>
> We can just require 2fa for developers because with great powers come
> great
> responsibilities.
>
> Cheers,
> Carl
i concur - after spending so long trying to attract casual
contributors,
putting up a huge barrier like this is just not helpful. So, 2FA for
people
who area able to actually mess stuff up, absolutely, we have
responsibility
here and that's fine, but for casual contributors, that is precisely
the
sort of thing that just outright makes people go "lol no" and go away
again, and is that really something we can afford?
From personal experience I agree, i was going to report a VLC issue,
their
gitlab also uses mandatory 2FA and I was very close to just giving up,
and
that was something that kind of bothered me to a certain degree.
I agree with making 2FA non mandatory for non KDE "powerful" account
holders.
Cheers,
Albert
I absolutely applaud the attempt at increasing out trustworthiness
as a
community, and 2FA for people who can actually push things certainly
helps
us get to that, but i also can't help but notice that the particular
choice
of making it a blanket community involvement requirement, that is, in
this
particular case, was made with a somewhat narrow focus, so... just
thought
i'd lend my voice to the "Yeah, please don't make our hard won casual
contributors go away before they even get here".
Hi,
could we have this? Only mandatory 2FA for accounts with more rights?
Greetings
Christoph
--
Ignorance is bliss...
https://cullmann.io | https://kate-editor.org
