On Wed, 2020-12-23 at 18:04 +0100, Florian Weimer wrote: > * Gary Buhrmaster: > > > It does support it, but AFAIK does not require it. > > > > Arguably those with elevated access (provenpackagers(*)) > > should be required to use a hardware token such > > as a FIDO2 authenticators with biometrics and/or > > PIN required (some phones with biometrics are > > are equivalent to external tokens) where passwords > > themselves can away. That may be a bridge too > > far at this point, but I would like to see that as a goal > > to work towards (2021 should be the year passwords > > die according to Microsoft). > > Is there even meaningful two-factor authentication support for Git > pushes, anywhere? (Not just in the Fedora infrastructure.) I mean, they *kinda* are 2FA already: we use certs and hopefully packagers all have a passphrase, so you need the cert and the passphrase. The weakest point in the current system is really the FAS password. If you have a packager's FAS password you can change the ssh key associated with the account to another that you control, and the FAS password is also all you need to run a build and submit it to Bodhi. -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
