On Wed, Dec 23, 2020 at 12:49 PM Vitaly Zaitsev via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Maybe Fedora should add 2FA support and require it for the most powerful > groups? > It does support it, but AFAIK does not require it. Arguably those with elevated access (provenpackagers(*)) should be required to use a hardware token such as a FIDO2 authenticators with biometrics and/or PIN required (some phones with biometrics are are equivalent to external tokens) where passwords themselves can away. That may be a bridge too far at this point, but I would like to see that as a goal to work towards (2021 should be the year passwords die according to Microsoft). And then packager cleanup, while still important, and should be done, might easily be made very lightweight of reconfirming a CLA once a year (as Richard suggested) if one wishes to continue to be a packager (of any type) since the exposure of compromised account is significantly reduced for those using something like FIDO2 with biometrics. (*) and then consider upping the requirements over time down the developer chain, perhaps with the next step(s) being to expand to include others such as those involved in "core security related" software (I am not sure I can categorize that, but I suspect one could come to some consensus, such as the kernel, openssh, glibc, etc.), even if not provenpackagers (although probably most of those people are PPs). _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
