Re: Gitlab update, 2FA now mandatory
On 25/10/22 15:06, Christoph Cullmann (cullmann.io) wrote: On 2022-10-25 14:55, Ahmad Samir wrote: On 25/10/22 14:31, Christoph Cullmann (cullmann.io) wrote: On 2022-10-25 13:52, Ahmad Samir wrote: On 25/10/22 13:29, Harald Sitter wrote: On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir wrote: Can a first time contributor create a fork, create multiple/100 MR's and spin up CI jobs? if yes, then, first time contributors can disrupt the system. Weren't there some suspicious accounts that were using our gitlab instance for bitcoin mining (I could be wrong, I vaguely remember someone from Sysadmin team talking about something like that)? were these first time contributors or ones with developer accounts? I'm sure 2fa doesn't help with that (: I am not a cyber security expert, but isn't 2FA comparable to captcha stuff? it's not hard, but it takes some extra time. Which forum would a spammer target? the one with the "create account and login immediately" or the one with "create account, verify captcha hell, verify email address"? That is true, but did we have concrete issues with spam accounts? And if yes, a one time captcha solving is a lot lower barrier the to need to do 2fa auth for a trivial issue Comment or merge request. At least for any part I work on in KDE the issue is manpower. Any step to make it more easier to help is good. Any step to make it harder is bad. I see the point why we not work on GitHub, I don't like to be dependent on some random company that in worst case can randomly pull the plug. But I somehow don't understand why we need to enforce this now even for new accounts without rights. I must confess I would like it even more if 2fa would only be required on doing some action that Is problematic and not just on any issue or merge request comment. But I assume that is not feasible. Greetings Christoph FWIW, when I log in to GitHub, they email me a pin number that I have to put in the web page, for me it's exactly the same level of inconvenience: - "check email, find pin, copy, paste" - "check app on phone, type pin" A mail is a lot easier on many devices, at least for me. My Kindle Fire can read my mails, but per default has zero otp stuff I could use. Same for my different work computers. All can get mail, none had before any such application. Therefore, yes, GitHub or the Steam Store work for me Without any extra setup effort. A mail address was Required anyways. And no, not even per default KDE Plasma ships with any obviously well integrated otp client. In this thread Ivan said Plasma Pass has OTP support: https://mail.kde.org/pipermail/kde-community/2022q4/007309.html (I haven't tried it myself). Regards, Ahmad Samir OpenPGP_signature Description: OpenPGP digital signature
Re: Gitlab update, 2FA now mandatory
On 25/10/22 14:31, Christoph Cullmann (cullmann.io) wrote: On 2022-10-25 13:52, Ahmad Samir wrote: On 25/10/22 13:29, Harald Sitter wrote: On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir wrote: Can a first time contributor create a fork, create multiple/100 MR's and spin up CI jobs? if yes, then, first time contributors can disrupt the system. Weren't there some suspicious accounts that were using our gitlab instance for bitcoin mining (I could be wrong, I vaguely remember someone from Sysadmin team talking about something like that)? were these first time contributors or ones with developer accounts? I'm sure 2fa doesn't help with that (: I am not a cyber security expert, but isn't 2FA comparable to captcha stuff? it's not hard, but it takes some extra time. Which forum would a spammer target? the one with the "create account and login immediately" or the one with "create account, verify captcha hell, verify email address"? That is true, but did we have concrete issues with spam accounts? And if yes, a one time captcha solving is a lot lower barrier the to need to do 2fa auth for a trivial issue Comment or merge request. At least for any part I work on in KDE the issue is manpower. Any step to make it more easier to help is good. Any step to make it harder is bad. I see the point why we not work on GitHub, I don't like to be dependent on some random company that in worst case can randomly pull the plug. But I somehow don't understand why we need to enforce this now even for new accounts without rights. I must confess I would like it even more if 2fa would only be required on doing some action that Is problematic and not just on any issue or merge request comment. But I assume that is not feasible. Greetings Christoph FWIW, when I log in to GitHub, they email me a pin number that I have to put in the web page, for me it's exactly the same level of inconvenience: - "check email, find pin, copy, paste" - "check app on phone, type pin" Regards, Ahmad Samir OpenPGP_signature Description: OpenPGP digital signature
Re: Gitlab update, 2FA now mandatory
On 25/10/22 13:29, Harald Sitter wrote: On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir wrote: Can a first time contributor create a fork, create multiple/100 MR's and spin up CI jobs? if yes, then, first time contributors can disrupt the system. Weren't there some suspicious accounts that were using our gitlab instance for bitcoin mining (I could be wrong, I vaguely remember someone from Sysadmin team talking about something like that)? were these first time contributors or ones with developer accounts? I'm sure 2fa doesn't help with that (: I am not a cyber security expert, but isn't 2FA comparable to captcha stuff? it's not hard, but it takes some extra time. Which forum would a spammer target? the one with the "create account and login immediately" or the one with "create account, verify captcha hell, verify email address"? -- Ahmad Samir OpenPGP_signature Description: OpenPGP digital signature
Re: Gitlab update, 2FA now mandatory
On 25/10/22 12:11, Carl Schwan wrote: Le dimanche 23 octobre 2022 à 5:55 PM, Christoph Cullmann (cullmann.io) a écrit : On 2022-10-23 08:32, Ben Cooksley wrote: Hi all, This afternoon I updated invent.kde.org [1] to the latest version of Gitlab, 15.5. Release notes for this can be found at https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ There isn't much notable feature wise in this release, however there have been some bug fixes surrounding the "Rebase without Pipeline" functionality that was introduced in an earlier update. As part of securing Invent against recently detected suspicious activity I have also enabled Mandatory 2FA, which Gitlab will ask you to configure next time you access it. This can be done using either a Webauthn token (such as a Yubikey) or TOTP (using the app of choice on your phone) Should you lose access to your 2FA device you can obtain a recovery token to log back in via SSH, see https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh for more details on this. Please let us know if there are any queries on the above. Hi, whereas I can see the security benefit, this raises the hurdle for one time contributors again a lot. Before you already had to register to get your merge request, now you need to setup this too (or at least soon it is mandatory). I am not sure this is such a good thing. I see a point that one wants to avoid that e.g. somebody steals my account that has enough rights to delete all branches in the Kate repository via the web frontend. Could the 2FA stuff perhaps be limited to people with developer role or such? Yes this would be ideal. We don't need to require 2fa for people who just started contributing or want to give some feedback on a MR/ticket. This should be possible with the following features: https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group We can just require 2fa for developers because with great powers come great responsibilities. Cheers, Carl Can a first time contributor create a fork, create multiple/100 MR's and spin up CI jobs? if yes, then, first time contributors can disrupt the system. Weren't there some suspicious accounts that were using our gitlab instance for bitcoin mining (I could be wrong, I vaguely remember someone from Sysadmin team talking about something like that)? were these first time contributors or ones with developer accounts? -- Ahmad Samir OpenPGP_signature Description: OpenPGP digital signature
Re: Welcome* Ingo!
On 6/9/22 00:11, Aleix Pol wrote: Hi everyone, Last year during Akademy, we discussed different positions under the umbrella of Make a Living in KDE. Today I'm reaching out to announce that Ingo Klöcker (CC) will be taking on the role of App Stores Support Engineer. Ingo will be working with the different teams in KDE towards our infrastructure getting prepared to have their software delivered to the platforms they are targetting. With this, we hope to improve the reach of our products to end users and hopefully enable them also to make a living with their KDE products. * I know he's been around for a while, but still, please welcome Ingo in this new role! Best, Aleix Pol, KDE e.V. President Congratulations, and may all the KDE app stores flourish with your help. Regards, Ahmad Samir OpenPGP_signature Description: OpenPGP digital signature
Re: Voting for the new KDE Goals has started
On 30/8/22 14:25, Adam Szopa wrote: Hello! I'm happy to announce, that the voting for the new KDE Goals has started. If you have a developer account, you should be getting your email soon. You'll be selecting between 6 proposals, listed here: https://phabricator.kde.org/project/view/322/ If you have a developer account but didn't get your email within a day OR you don't have a developer account but feel that you're a contributing member of the community, please contact me privately. The winning proposals will be announced during Akademy 2022. - Adam Hello. It seems some members are arranging the tasks in the Phabricator workboard. Please note that you are not supposed to change the order of the tasks in the Phabricator link above, instead to cast your vote arrange the goals, according to your preferences, in the "survey" (a link to the that survey was sent in an email to each member individually). Regards, Ahmad Samir OpenPGP_signature Description: OpenPGP digital signature
Re: Akademy 2022 Call For Papers has been deleted
On 10/6/22 18:43, Albert Astals Cid wrote: El divendres, 10 de juny de 2022, a les 18:14:33 (CEST), Albert Astals Cid va escriure: I have made a HUGE mistake. I have deleted the Akademy 2022 event on conf.kde.org and with it all the submitted talks. I am so sorry. I don't know how I ended up deleting the whole event when I just wanted to delete the test talk I had just submitted. I have failed you. I have contacted the system administrators in case we are super lucky and we had a backup, but even if we do, some of the talks that had just been submitted are probably lost. I have asked for all my rights in conf.kde.org to be removed since clearly I can't be trusted to use it. Again I apologize for such a huge mistake. Super sad, Albert Kenny Coyle has fixed it and all should be back to normal, no talk submissions have been lost. Albert Good news. But even if they were deleted, as Nate said, it is an honest mistake; it could happen to anyone, so to summarize, I think I echo many others when I say we still trust that you didn't/won't use your elevated permissions on conf.kde.org to do harm. -- Ahmad Samir
Re: The status of freenode (the IRC network used by KDE)
On 15/06/2021 04:43, Nicolás Alvarez wrote: Freenode has now set up new servers without migrating the nickserv/chanserv databases, and will likely turn off the old servers later. You could say freenode has shut down and there is now a new network under its name. We don't have any registered channels in the "new network", or even channel topics set. Are we going to move to libera.chat already? It has been more than three weeks since Andrew Lee took over. I'm *done* waiting for Matrix to reconfigure the bridge. Leaving it unbridged entirely is preferred to the current situation. You can't say that would split the chat community because it's already split anyway (there's more users in libera.chat KDE channels every day, as of yesterday irccloud users couldn't use freenode anymore, #kde hasn't been properly bridged for a long time, etc). Just tell me when and I'll switch IrcsomeBot/sKreamer/pursuivant bots to libera.chat, and update documentation (I already prepared commits for 30+ repos for this). I can also bring IrcsomeBot into Matrix rooms temporarily until the proper Matrix appservice is set up. But I will not accept any more delays caused by Matrix/EMS. Let's get out of freenode. FWIW, I had disconnected from freenode two days ago, with the intent to wait for the matrix bridges ...etc on the other, libera, side. Have a good day. -- Ahmad Samir
Re: The status of freenode (the IRC network used by KDE)
On 19/05/2021 20:52, Nicolás Alvarez wrote: El mié, 19 de may. de 2021 a la(s) 14:53, Carl Schwan (c...@carlschwan.eu) escribió: Le mercredi, mai 19, 2021 7:45 PM, Martin Flöser a écrit : Am Mittwoch, 19. Mai 2021, 10:34:26 CEST schrieb Christian: Dear KDE community, KDE has been using the free services of the freenode IRC networks for a little bit more than two decades, and hopefully happily and successfully so. Thanks for informing us. This sounds horrible and must have been a very stressful time for all of you staffers. Due to this leakage, Andrew Lee (former PIA/LTM, now shells.com) learned of the new situation and asked democratically elected freenode volunteers to step down from their position, as seen in the logs linked on [4] [5] [6] Therefore making the takover attempt and some details public. Given that this is driven byshells.com I think the KDE community should step up and remove all references to shells.com. Their behavior in this case goes clearly against our values. I agree and created two merge requests: * https://invent.kde.org/websites/kde-org/-/merge_requests/104 * https://invent.kde.org/websites/neon-kde-org/-/merge_requests/8 I would prefer if it's someone who was involved with setting this up that merges these two MRs. CC Jonathan and Aleix Aren't they sponsors? We can't *just* remove them from the website... Yes, first give them their "sponsoring" (whatever that was) back, then remove them from the website. (Just for the sake of fairness, we haven't heard their side of the story; obviously I am biased, the staffers who have been doing all the heavy lifting for years, their word is backed by years of work... :)). -- Nicolás -- Ahmad Samir
Re: The status of freenode (the IRC network used by KDE)
On 19/05/2021 10:34, Christian wrote: Dear KDE community, KDE has been using the free services of the freenode IRC networks for a little bit more than two decades, and hopefully happily and successfully so. During the last few weeks, freenode was a bit in troubled waters due to what was perceived as a potential serious threat of a takeover of the network Due to that, a good amount of us who have been building and running freenode for the past decades prepared their resignation letters. Some of these got leaked a few days and made it to the hackernews frontpage and various other sites. The leaks included a personal draft of a resignation letter. Due to this leakage, Andrew Lee (former PIA/LTM, now shells.com) learned of the new situation and asked democratically elected freenode volunteers to step down from their position, as seen in the logs linked on [4] [5] [6] Therefore making the takover attempt and some details public. Included in these logs are also logs from third party users that show that associates from Mr Lee, namely the user rdv / nirvana, contacted various people and offered them oper access on the new network for money or revenge. It sickens me to the stomach to see our community that we built in the last 20 years to be lost to this kind of management. As you can imagine, the community was unhappy as well and we got loads of feedback. Thank you very much, this means a lot to us. We've also seen channel ops standing up to the potential new management, see e.g. [7] I tried my very best both to not drag KDE into this situation plus to keep the network running as I helped running it for the past 10 years, and to keep your data safe in the hands of the volunteers that curated it for decades. As you can imagine, this whole mess makes me even less want to spend any of my volunteering time for the potential new management, and I wouldn't want to be responsible for sensitive user data under that management, either. Therefore I resigned from my volunteer position as a freenode staffer, along with some colleagues, and I assume a lot more will follow. I had all my access removed, so that I could not hand it or any data over to a third party, even if I wanted or if I were forced to. My resignation letter, along with some details, can be found at https://fuchsnet.ch/freenode-resign-letter.txt Big thanks to the KDE community for having been with us for more than twenty years, and despite IRCs shortcomings and new solutions available still being part of the freenode IRC network. Kind regards, Christian (commonly known as Fuchs) Thank you (all of you) for all the hard work over the years, IRC has been always there as far back as I can remember :) And, yes, I hope I'll be seeing you soon on the new, really free-we-are-making-sure-of-it-by-backing-it-up-with-a-non-profit-organization, node/network :) Have a very good day, and thanks again. (And I didn't know the background of freenode, however I've always thought that it's as amazing as having Linux as whole, Kernel, glibc, KDE, and IRC :)). I second what Bhushan said, we need to act quickly -- Ahmad Samir
