Re: Gitlab update, 2FA now mandatory
On 2022-10-25 21:29, Christoph Cullmann (cullmann.io) wrote: On 2022-10-25 20:53, Albert Astals Cid wrote: i concur - after spending so long trying to attract casual contributors, putting up a huge barrier like this is just not helpful. So, 2FA for people who area able to actually mess stuff up, absolutely, we have responsibility here and that's fine, but for casual contributors, that is precisely the sort of thing that just outright makes people go "lol no" and go away again, and is that really something we can afford? From personal experience I agree, i was going to report a VLC issue, their gitlab also uses mandatory 2FA and I was very close to just giving up, and that was something that kind of bothered me to a certain degree. I agree with making 2FA non mandatory for non KDE "powerful" account holders. hi, one other side note, e.g. my GitHub account login stays after valid 2FA auth valid in my Chromium browser even over reboots on my normal machine. Is that something one can configure or is GitLab just not able to support this? Makes the use on the home pc a lot less annoying. Just forget that question, my 'remember me' checkbox was just not on ;) Greetings Christoph -- Ignorance is bliss... https://cullmann.io | https://kate-editor.org
Re: Gitlab update, 2FA now mandatory
On 2022-10-25 20:53, Albert Astals Cid wrote: i concur - after spending so long trying to attract casual contributors, putting up a huge barrier like this is just not helpful. So, 2FA for people who area able to actually mess stuff up, absolutely, we have responsibility here and that's fine, but for casual contributors, that is precisely the sort of thing that just outright makes people go "lol no" and go away again, and is that really something we can afford? From personal experience I agree, i was going to report a VLC issue, their gitlab also uses mandatory 2FA and I was very close to just giving up, and that was something that kind of bothered me to a certain degree. I agree with making 2FA non mandatory for non KDE "powerful" account holders. hi, one other side note, e.g. my GitHub account login stays after valid 2FA auth valid in my Chromium browser even over reboots on my normal machine. Is that something one can configure or is GitLab just not able to support this? Makes the use on the home pc a lot less annoying. Greetings Christoph -- Ignorance is bliss... https://cullmann.io | https://kate-editor.org
Re: Gitlab update, 2FA now mandatory
El dimarts, 25 d’octubre de 2022, a les 12:19:36 (CEST), Dan Leinir Turthra Jensen va escriure: > On Tuesday, 25 October 2022 11:11:46 BST Carl Schwan wrote: > > Le dimanche 23 octobre 2022 à 5:55 PM, Christoph Cullmann (cullmann.io) > > a écrit : > > > On 2022-10-23 08:32, Ben Cooksley wrote: > > > > Hi all, > > > > > > > > This afternoon I updated invent.kde.org [1] to the latest version of > > > > Gitlab, 15.5. > > > > Release notes for this can be found at > > > > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ > > > > > > > > There isn't much notable feature wise in this release, however there > > > > have been some bug fixes surrounding the "Rebase without Pipeline" > > > > functionality that was introduced in an earlier update. > > > > > > > > As part of securing Invent against recently detected suspicious > > > > activity I have also enabled Mandatory 2FA, which Gitlab will ask you > > > > to configure next time you access it. This can be done using either a > > > > Webauthn token (such as a Yubikey) or TOTP (using the app of choice on > > > > your phone) > > > > > > > > Should you lose access to your 2FA device you can obtain a recovery > > > > token to log back in via SSH, see > > > > https://docs.gitlab.com/ee/user/profile/account/two_factor_authenticat > > > > io > > > > n.html#generate-new-recovery-codes-using-ssh for more details on this. > > > > > > > > Please let us know if there are any queries on the above. > > > > > > Hi, > > > > > > whereas I can see the security benefit, this raises the hurdle for one > > > time contributors again a lot. > > > > > > Before you already had to register to get your merge request, > > > now you need to setup this too (or at least soon it is mandatory). > > > > > > I am not sure this is such a good thing. > > > > > > I see a point that one wants to avoid that e.g. somebody steals my > > > account that has enough rights to delete all branches in the Kate > > > repository via the web frontend. > > > > > > Could the 2FA stuff perhaps be limited to people with developer role or > > > such? > > > > Yes this would be ideal. We don't need to require 2fa for people who just > > started contributing or want to give some feedback on a MR/ticket. > > > > This should be possible with the following features: > > https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce > > -2 fa-for-all-users-in-a-group > > > > We can just require 2fa for developers because with great powers come > > great > > responsibilities. > > > > Cheers, > > Carl > > i concur - after spending so long trying to attract casual contributors, > putting up a huge barrier like this is just not helpful. So, 2FA for people > who area able to actually mess stuff up, absolutely, we have responsibility > here and that's fine, but for casual contributors, that is precisely the > sort of thing that just outright makes people go "lol no" and go away > again, and is that really something we can afford? From personal experience I agree, i was going to report a VLC issue, their gitlab also uses mandatory 2FA and I was very close to just giving up, and that was something that kind of bothered me to a certain degree. I agree with making 2FA non mandatory for non KDE "powerful" account holders. Cheers, Albert > I absolutely applaud the attempt at increasing out trustworthiness as a > community, and 2FA for people who can actually push things certainly helps > us get to that, but i also can't help but notice that the particular choice > of making it a blanket community involvement requirement, that is, in this > particular case, was made with a somewhat narrow focus, so... just thought > i'd lend my voice to the "Yeah, please don't make our hard won casual > contributors go away before they even get here".
Re: Gitlab update, 2FA now mandatory
On 2022-10-25 14:55, Ahmad Samir wrote: On 25/10/22 14:31, Christoph Cullmann (cullmann.io) wrote: On 2022-10-25 13:52, Ahmad Samir wrote: On 25/10/22 13:29, Harald Sitter wrote: On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir wrote: Can a first time contributor create a fork, create multiple/100 MR's and spin up CI jobs? if yes, then, first time contributors can disrupt the system. Weren't there some suspicious accounts that were using our gitlab instance for bitcoin mining (I could be wrong, I vaguely remember someone from Sysadmin team talking about something like that)? were these first time contributors or ones with developer accounts? I'm sure 2fa doesn't help with that (: I am not a cyber security expert, but isn't 2FA comparable to captcha stuff? it's not hard, but it takes some extra time. Which forum would a spammer target? the one with the "create account and login immediately" or the one with "create account, verify captcha hell, verify email address"? That is true, but did we have concrete issues with spam accounts? And if yes, a one time captcha solving is a lot lower barrier the to need to do 2fa auth for a trivial issue Comment or merge request. At least for any part I work on in KDE the issue is manpower. Any step to make it more easier to help is good. Any step to make it harder is bad. I see the point why we not work on GitHub, I don't like to be dependent on some random company that in worst case can randomly pull the plug. But I somehow don't understand why we need to enforce this now even for new accounts without rights. I must confess I would like it even more if 2fa would only be required on doing some action that Is problematic and not just on any issue or merge request comment. But I assume that is not feasible. Greetings Christoph FWIW, when I log in to GitHub, they email me a pin number that I have to put in the web page, for me it's exactly the same level of inconvenience: - "check email, find pin, copy, paste" - "check app on phone, type pin" A mail is a lot easier on many devices, at least for me. My Kindle Fire can read my mails, but per default has zero otp stuff I could use. Same for my different work computers. All can get mail, none had before any such application. Therefore, yes, GitHub or the Steam Store work for me Without any extra setup effort. A mail address was Required anyways. And no, not even per default KDE Plasma ships with any obviously well integrated otp client. Greetings Christoph -- Ignorance is bliss... https://cullmann.io | https://kate-editor.org
Re: Gitlab update, 2FA now mandatory
On 25/10/22 14:31, Christoph Cullmann (cullmann.io) wrote: On 2022-10-25 13:52, Ahmad Samir wrote: On 25/10/22 13:29, Harald Sitter wrote: On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir wrote: Can a first time contributor create a fork, create multiple/100 MR's and spin up CI jobs? if yes, then, first time contributors can disrupt the system. Weren't there some suspicious accounts that were using our gitlab instance for bitcoin mining (I could be wrong, I vaguely remember someone from Sysadmin team talking about something like that)? were these first time contributors or ones with developer accounts? I'm sure 2fa doesn't help with that (: I am not a cyber security expert, but isn't 2FA comparable to captcha stuff? it's not hard, but it takes some extra time. Which forum would a spammer target? the one with the "create account and login immediately" or the one with "create account, verify captcha hell, verify email address"? That is true, but did we have concrete issues with spam accounts? And if yes, a one time captcha solving is a lot lower barrier the to need to do 2fa auth for a trivial issue Comment or merge request. At least for any part I work on in KDE the issue is manpower. Any step to make it more easier to help is good. Any step to make it harder is bad. I see the point why we not work on GitHub, I don't like to be dependent on some random company that in worst case can randomly pull the plug. But I somehow don't understand why we need to enforce this now even for new accounts without rights. I must confess I would like it even more if 2fa would only be required on doing some action that Is problematic and not just on any issue or merge request comment. But I assume that is not feasible. Greetings Christoph FWIW, when I log in to GitHub, they email me a pin number that I have to put in the web page, for me it's exactly the same level of inconvenience: - "check email, find pin, copy, paste" - "check app on phone, type pin" Regards, Ahmad Samir OpenPGP_signature Description: OpenPGP digital signature
Re: Gitlab update, 2FA now mandatory
On Tue, Oct 25, 2022 at 1:52 PM Ahmad Samir wrote: > > On 25/10/22 13:29, Harald Sitter wrote: > > On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir wrote: > >> > >> Can a first time contributor create a fork, create multiple/100 MR's and > >> spin up CI jobs? if yes, > >> then, first time contributors can disrupt the system. > >> > >> Weren't there some suspicious accounts that were using our gitlab instance > >> for bitcoin mining (I > >> could be wrong, I vaguely remember someone from Sysadmin team talking > >> about something like that)? > >> were these first time contributors or ones with developer accounts? > > > > I'm sure 2fa doesn't help with that (: > > I am not a cyber security expert, but isn't 2FA comparable to captcha stuff? > it's not hard, but it > takes some extra time. No. It's neither hard nor does it take time. 2fa is 100% scriptable. HS
Re: Gitlab update, 2FA now mandatory
On 25 October 2022 11:19:36 BST, Dan Leinir Turthra Jensen wrote: > On Tuesday, 25 October 2022 11:11:46 BST Carl Schwan wrote: > > Le dimanche 23 octobre 2022 à 5:55 PM, Christoph Cullmann (cullmann.io) > a écrit : > > > On 2022-10-23 08:32, Ben Cooksley wrote: > > > > Hi all, > > > > > > > > This afternoon I updated invent.kde.org [1] to the latest version of > > > > Gitlab, 15.5. > > > > Release notes for this can be found at > > > > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ > > > > > > > > There isn't much notable feature wise in this release, however there > > > > have been some bug fixes surrounding the "Rebase without Pipeline" > > > > functionality that was introduced in an earlier update. > > > > > > > > As part of securing Invent against recently detected suspicious > > > > activity I have also enabled Mandatory 2FA, which Gitlab will ask you > > > > to configure next time you access it. This can be done using either a > > > > Webauthn token (such as a Yubikey) or TOTP (using the app of choice on > > > > your phone) > > > > > > > > Should you lose access to your 2FA device you can obtain a recovery > > > > token to log back in via SSH, see > > > > https://docs.gitlab.com/ee/user/profile/account/two_factor_authenticatio > > > > n.html#generate-new-recovery-codes-using-ssh for more details on this. > > > > > > > > Please let us know if there are any queries on the above. > > > > > > Hi, > > > > > > whereas I can see the security benefit, this raises the hurdle for one > > > time contributors again a lot. > > > > > > Before you already had to register to get your merge request, > > > now you need to setup this too (or at least soon it is mandatory). > > > > > > I am not sure this is such a good thing. > > > > > > I see a point that one wants to avoid that e.g. somebody steals my > > > account that has enough rights to delete all branches in the Kate > > > repository via the web frontend. > > > > > > Could the 2FA stuff perhaps be limited to people with developer role or > > > such? > > > > Yes this would be ideal. We don't need to require 2fa for people who just > > started contributing or want to give some feedback on a MR/ticket. > > > > This should be possible with the following features: > > https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2 > > fa-for-all-users-in-a-group > > > > We can just require 2fa for developers because with great powers come great > > responsibilities. > > > > Cheers, > > Carl > > i concur - after spending so long trying to attract casual contributors, > putting up a huge barrier like this is just not helpful. So, 2FA for people > who area able to actually mess stuff up, absolutely, we have responsibility > here and that's fine, but for casual contributors, that is precisely the sort > of thing that just outright makes people go "lol no" and go away again, and > is > that really something we can afford? > I absolutely applaud the attempt at increasing out trustworthiness as a > community, and 2FA for people who can actually push things certainly helps us > get to that, but i also can't help but notice that the particular choice of > making it a blanket community involvement requirement, that is, in this > particular case, was made with a somewhat narrow focus, so... just thought > i'd > lend my voice to the "Yeah, please don't make our hard won casual > contributors > go away before they even get here". > I agree. Anybody without a real commitment to KDE would be likely to be put off by this requirement. I also concur with Frederik, that there are people who have no previous exposure to this form of 2FA. The only form of 2FA which I have previously encountered is by text to my mobile phone. I had no idea that apps for this purpose existed. Because I develop KDE software, I have the motivation to find out how to set up 2FA for invent. But if I was a casual user, there is no way that I'd be prepared to spend the time and effort investigating how to do it. It's far too big a hurdle for somebody such as me who's not already committed to the project. -- David Jarvie KAlarm author, KDE developer
Re: Gitlab update, 2FA now mandatory
On 2022-10-25 13:52, Ahmad Samir wrote: On 25/10/22 13:29, Harald Sitter wrote: On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir wrote: Can a first time contributor create a fork, create multiple/100 MR's and spin up CI jobs? if yes, then, first time contributors can disrupt the system. Weren't there some suspicious accounts that were using our gitlab instance for bitcoin mining (I could be wrong, I vaguely remember someone from Sysadmin team talking about something like that)? were these first time contributors or ones with developer accounts? I'm sure 2fa doesn't help with that (: I am not a cyber security expert, but isn't 2FA comparable to captcha stuff? it's not hard, but it takes some extra time. Which forum would a spammer target? the one with the "create account and login immediately" or the one with "create account, verify captcha hell, verify email address"? That is true, but did we have concrete issues with spam accounts? And if yes, a one time captcha solving is a lot lower barrier the to need to do 2fa auth for a trivial issue Comment or merge request. At least for any part I work on in KDE the issue is manpower. Any step to make it more easier to help is good. Any step to make it harder is bad. I see the point why we not work on GitHub, I don't like to be dependent on some random company that in worst case can randomly pull the plug. But I somehow don't understand why we need to enforce this now even for new accounts without rights. I must confess I would like it even more if 2fa would only be required on doing some action that Is problematic and not just on any issue or merge request comment. But I assume that is not feasible. Greetings Christoph -- Ignorance is bliss... https://cullmann.io | https://kate-editor.org
Re: Gitlab update, 2FA now mandatory
On 25/10/22 13:29, Harald Sitter wrote: On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir wrote: Can a first time contributor create a fork, create multiple/100 MR's and spin up CI jobs? if yes, then, first time contributors can disrupt the system. Weren't there some suspicious accounts that were using our gitlab instance for bitcoin mining (I could be wrong, I vaguely remember someone from Sysadmin team talking about something like that)? were these first time contributors or ones with developer accounts? I'm sure 2fa doesn't help with that (: I am not a cyber security expert, but isn't 2FA comparable to captcha stuff? it's not hard, but it takes some extra time. Which forum would a spammer target? the one with the "create account and login immediately" or the one with "create account, verify captcha hell, verify email address"? -- Ahmad Samir OpenPGP_signature Description: OpenPGP digital signature
Re: Gitlab update, 2FA now mandatory
On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir wrote: > > On 25/10/22 12:11, Carl Schwan wrote: > > Le dimanche 23 octobre 2022 à 5:55 PM, Christoph Cullmann (cullmann.io) > > a écrit : > > > > > >> On 2022-10-23 08:32, Ben Cooksley wrote: > >> > >>> Hi all, > >>> > >>> This afternoon I updated invent.kde.org [1] to the latest version of > >>> Gitlab, 15.5. > >>> Release notes for this can be found at > >>> https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ > >>> > >>> There isn't much notable feature wise in this release, however there > >>> have been some bug fixes surrounding the "Rebase without Pipeline" > >>> functionality that was introduced in an earlier update. > >>> > >>> As part of securing Invent against recently detected suspicious > >>> activity I have also enabled Mandatory 2FA, which Gitlab will ask you > >>> to configure next time you access it. This can be done using either a > >>> Webauthn token (such as a Yubikey) or TOTP (using the app of choice on > >>> your phone) > >>> > >>> Should you lose access to your 2FA device you can obtain a recovery > >>> token to log back in via SSH, see > >>> https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh > >>> for more details on this. > >>> > >>> Please let us know if there are any queries on the above. > >> > >> > >> Hi, > >> > >> whereas I can see the security benefit, this raises the hurdle for one > >> time > >> contributors again a lot. > >> > >> Before you already had to register to get your merge request, > >> now you need to setup this too (or at least soon it is mandatory). > >> > >> I am not sure this is such a good thing. > >> > >> I see a point that one wants to avoid that e.g. somebody steals my > >> account > >> that has enough rights to delete all branches in the Kate repository via > >> the > >> web frontend. > >> > >> Could the 2FA stuff perhaps be limited to people with developer role or > >> such? > > > > Yes this would be ideal. We don't need to require 2fa for people who just > > started contributing or want to give some feedback on a MR/ticket. > > > > This should be possible with the following features: > > https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group > > > > We can just require 2fa for developers because with great powers come great > > responsibilities. > > > > Cheers, > > Carl > > > > Can a first time contributor create a fork, create multiple/100 MR's and spin > up CI jobs? if yes, > then, first time contributors can disrupt the system. > > Weren't there some suspicious accounts that were using our gitlab instance > for bitcoin mining (I > could be wrong, I vaguely remember someone from Sysadmin team talking about > something like that)? > were these first time contributors or ones with developer accounts? I'm sure 2fa doesn't help with that (:
Re: Gitlab update, 2FA now mandatory
On 25/10/22 12:11, Carl Schwan wrote: Le dimanche 23 octobre 2022 à 5:55 PM, Christoph Cullmann (cullmann.io) a écrit : On 2022-10-23 08:32, Ben Cooksley wrote: Hi all, This afternoon I updated invent.kde.org [1] to the latest version of Gitlab, 15.5. Release notes for this can be found at https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ There isn't much notable feature wise in this release, however there have been some bug fixes surrounding the "Rebase without Pipeline" functionality that was introduced in an earlier update. As part of securing Invent against recently detected suspicious activity I have also enabled Mandatory 2FA, which Gitlab will ask you to configure next time you access it. This can be done using either a Webauthn token (such as a Yubikey) or TOTP (using the app of choice on your phone) Should you lose access to your 2FA device you can obtain a recovery token to log back in via SSH, see https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh for more details on this. Please let us know if there are any queries on the above. Hi, whereas I can see the security benefit, this raises the hurdle for one time contributors again a lot. Before you already had to register to get your merge request, now you need to setup this too (or at least soon it is mandatory). I am not sure this is such a good thing. I see a point that one wants to avoid that e.g. somebody steals my account that has enough rights to delete all branches in the Kate repository via the web frontend. Could the 2FA stuff perhaps be limited to people with developer role or such? Yes this would be ideal. We don't need to require 2fa for people who just started contributing or want to give some feedback on a MR/ticket. This should be possible with the following features: https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group We can just require 2fa for developers because with great powers come great responsibilities. Cheers, Carl Can a first time contributor create a fork, create multiple/100 MR's and spin up CI jobs? if yes, then, first time contributors can disrupt the system. Weren't there some suspicious accounts that were using our gitlab instance for bitcoin mining (I could be wrong, I vaguely remember someone from Sysadmin team talking about something like that)? were these first time contributors or ones with developer accounts? -- Ahmad Samir OpenPGP_signature Description: OpenPGP digital signature
Re: Gitlab update, 2FA now mandatory
On Tuesday, 25 October 2022 11:11:46 BST Carl Schwan wrote: > Le dimanche 23 octobre 2022 à 5:55 PM, Christoph Cullmann (cullmann.io) a écrit : > > On 2022-10-23 08:32, Ben Cooksley wrote: > > > Hi all, > > > > > > This afternoon I updated invent.kde.org [1] to the latest version of > > > Gitlab, 15.5. > > > Release notes for this can be found at > > > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ > > > > > > There isn't much notable feature wise in this release, however there > > > have been some bug fixes surrounding the "Rebase without Pipeline" > > > functionality that was introduced in an earlier update. > > > > > > As part of securing Invent against recently detected suspicious > > > activity I have also enabled Mandatory 2FA, which Gitlab will ask you > > > to configure next time you access it. This can be done using either a > > > Webauthn token (such as a Yubikey) or TOTP (using the app of choice on > > > your phone) > > > > > > Should you lose access to your 2FA device you can obtain a recovery > > > token to log back in via SSH, see > > > https://docs.gitlab.com/ee/user/profile/account/two_factor_authenticatio > > > n.html#generate-new-recovery-codes-using-ssh for more details on this. > > > > > > Please let us know if there are any queries on the above. > > > > Hi, > > > > whereas I can see the security benefit, this raises the hurdle for one > > time contributors again a lot. > > > > Before you already had to register to get your merge request, > > now you need to setup this too (or at least soon it is mandatory). > > > > I am not sure this is such a good thing. > > > > I see a point that one wants to avoid that e.g. somebody steals my > > account that has enough rights to delete all branches in the Kate > > repository via the web frontend. > > > > Could the 2FA stuff perhaps be limited to people with developer role or > > such? > > Yes this would be ideal. We don't need to require 2fa for people who just > started contributing or want to give some feedback on a MR/ticket. > > This should be possible with the following features: > https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2 > fa-for-all-users-in-a-group > > We can just require 2fa for developers because with great powers come great > responsibilities. > > Cheers, > Carl i concur - after spending so long trying to attract casual contributors, putting up a huge barrier like this is just not helpful. So, 2FA for people who area able to actually mess stuff up, absolutely, we have responsibility here and that's fine, but for casual contributors, that is precisely the sort of thing that just outright makes people go "lol no" and go away again, and is that really something we can afford? I absolutely applaud the attempt at increasing out trustworthiness as a community, and 2FA for people who can actually push things certainly helps us get to that, but i also can't help but notice that the particular choice of making it a blanket community involvement requirement, that is, in this particular case, was made with a somewhat narrow focus, so... just thought i'd lend my voice to the "Yeah, please don't make our hard won casual contributors go away before they even get here". -- ..dan / leinir.. http://leinir.dk/
Re: Gitlab update, 2FA now mandatory
Le dimanche 23 octobre 2022 à 5:55 PM, Christoph Cullmann (cullmann.io) a écrit : > On 2022-10-23 08:32, Ben Cooksley wrote: > > > Hi all, > > > > This afternoon I updated invent.kde.org [1] to the latest version of > > Gitlab, 15.5. > > Release notes for this can be found at > > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ > > > > There isn't much notable feature wise in this release, however there > > have been some bug fixes surrounding the "Rebase without Pipeline" > > functionality that was introduced in an earlier update. > > > > As part of securing Invent against recently detected suspicious > > activity I have also enabled Mandatory 2FA, which Gitlab will ask you > > to configure next time you access it. This can be done using either a > > Webauthn token (such as a Yubikey) or TOTP (using the app of choice on > > your phone) > > > > Should you lose access to your 2FA device you can obtain a recovery > > token to log back in via SSH, see > > https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh > > for more details on this. > > > > Please let us know if there are any queries on the above. > > > Hi, > > whereas I can see the security benefit, this raises the hurdle for one > time > contributors again a lot. > > Before you already had to register to get your merge request, > now you need to setup this too (or at least soon it is mandatory). > > I am not sure this is such a good thing. > > I see a point that one wants to avoid that e.g. somebody steals my > account > that has enough rights to delete all branches in the Kate repository via > the > web frontend. > > Could the 2FA stuff perhaps be limited to people with developer role or > such? Yes this would be ideal. We don't need to require 2fa for people who just started contributing or want to give some feedback on a MR/ticket. This should be possible with the following features: https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group We can just require 2fa for developers because with great powers come great responsibilities. Cheers, Carl > > Greetings > Christoph > > > Thanks, > > Ben > > > > Links: > > -- > > [1] http://invent.kde.org > > > -- > Ignorance is bliss... > https://cullmann.io | https://kate-editor.org
Re: Gitlab update, 2FA now mandatory
Hi, making assumptions or generalising a group of people will always "forget" about some people. What about translators? Are they all as "techy" as you imagine all our devs are? (Spoiler: no they aren't) What about older contributors (like me)? Are they all as up-to-date with emerging technologies as you think they are? Maybe not. I do have 2FA at work. It's a hardware token with a "put the number in this field" workflow. I did not have to set that up, I just use it. My bank uses a very special kind of 2FA which I just recently recognised as such. Meaning, I cannot use my bank's 2FA technology for anything else so it feels like a different tech. Otherwise I did not yet have had the need for 2FA in my private life. I despise having accounts, so I do not use Paypal, Google, Amazon, Microsoft, Facebook or any other of the "common" accounts and do my online shopping as guest to not bother with login stuff there either. So now for the KDE login I had to set up 2FA for the first time and it involved some confusion. I managed to set up KeePassXC with TOTP now but not without a close call in ruining my tax authority account credentials in the process becausecitvwas not clear to me at first that the Set up TOTP menu entry worked on one of the existing entries rather than enabling a separate way of adding accounts. Speaking of taxes. In my country it's the last week for handing in tax reports, so I might have decided that my mind currently does not have enough free capacity to bother with keeping my KDE account working. The time span to handle this situation seems rather tight to me. Anyway, while I see good reasoning behind the decision to use 2FA, I think it wasn't handled in a very good way. It would have been good to have more time for the change and also offer more support for people completely new to 2FA. Throwing in names of apps alone is not enough. Not everyone has time to spend an evening investigating those apps and then set one (or several) up just to realise it uses different terminology than gitlab (key vs secret key, pin vs password etc) which makes setting it up a fun little guessing game with quite some shrugging. Please do not surprise a diverse group of people with different techy backgrounds, different age and different levels of smartness (meaning: eagerness to dig into new topics asap) with making something mandatory just because you and everyone you know are familiar with that particular tech anyway. On a side not, I have decided to use this as an opportinity to set up 2FA for more of the few accounts I have and I also bought two Yubikeys to play around with those as well ... But I do not assume, everybody appreciates that kind of opportinities. Cheers Frederik On 25 October 2022 05:39:32 CEST, Victoria Fierce wrote: >I would like to think that anyone who either knows /enough/ about KDE that >they want to contribute or has used basically any other internet service >before coming to KDE is already familiar with 2FA that it won't be a problem >for them. Our users are smart, our devs are also (often) smart, everyone >involved is probably smarter and more capable than we would imagine. If KDE >contributions decline for any reason, I don't think it would be for technical >ones. My bank needs 2FA, my paypal needs 2FA, my work needs >lordt-knows-how-much 2FA, heck even when I'm using Matrix I need to do some >kind of 2FA-ish dance to verify the login and distribute crypto keys. > >On Mon, Oct 24, 2022, at 9:19 AM, Christoph Cullmann (cullmann.io) wrote: >> Hi, >> Could the 2FA stuff perhaps be limited to people with developer role or such? >>> >>> It is technically possible to only apply the mandatory 2FA rules to >>> only certain groups as Developer accounts are simply membership in >>> teams/kde-developers. >>> See >>> https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group >>> for the documentation on this. >>> >>> Given that we are using Invent for authenticating our various other >>> services and the users of those aren't necessarily developers (while >>> still having access to sensitive information) it seemed more prudent >>> to enforce 2FA for everyone to ensure all our systems have a minimum >>> baseline of industry best practice protection in place. >>> >>> This also avoids any issue when people are granted a developer account >>> and suddenly find themselves subject to a new requirement. >> >> I think it is rather worse that now first time contributors have this >> requirement. >> >> A lot of people already complain "why can I not just use my GitHub >> account', >> now they need to setup this in addition. >> >> And yes, beside for invent.kde.org, I never needed to use my Google Auth >> App beside for some hosting. >> >> All other things I use that have 2FA use different methods that don't >> need >> any such app on my phone. >> >> Therefore that is more then just 2