On Wed, Feb 23, 2022 at 10:33:16AM +0100, Vitaly Zaitsev via devel wrote: > On 22/02/2022 12:33, Daniel P. Berrangé wrote: > > Given that the accounts system already supports these OTPs, what > > is the reason for not mandating this OTP based 2FA for*all* > > contributors today, as oppposed to merely infra people ? > > I like it, but many Fedora contributors won't be happy. Google said that > only 10% of their users use OTP. I presume you're referring to Google services like GMail, etc. I can totally understand that kind of metric for the global population in general, but I don't think the comparison is relevant or valid. Contributing to the Fedora project comes with responsibilities, and being asked to keep your account secured with 2fa is not an unreasonable request from a project such as Fedora, whose output is consumed by a huge number of users. 2fa is a standard best practice expected from any organization that takes user account security seriously. There are significant implications for reputational damage to Fedora if a contributor's account is compromised and that is then successfully used to compromise software and get it shipped to millions of users. We got lucky in the past with scope of damage after an account compromise, but we should not assume that will be the case next time... Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
