On Mon, Sep 05, 2022 at 08:33:40AM +0000, Tommy Nguyen wrote: > On Mon, 2022-09-05 at 10:13 +0200, Dominik 'Rathann' Mierzejewski > wrote: > > Wait, what? Which countries are 2FA token illegal in? > > > > Regards, > > Dominik > > I cannot think of any reason why 2FA would be illegal in any country > when TOTP is based on HMAC and by default uses SHA-1. > > Further if I may offer my unsolicited opinion, I am strongly in favor > in requiring 2FA. And if doing it across the board is inconvenient, at > least for "important" packages/roles. > > There's been too many supply chain incidents (see npm, github, any > corporate data breach, et al.) that I think Fedora would benefit from > mandating 2FA. Those who've been around a long time will remember that we've discovered compromises of a Fedora maintainer's account in the past: https://lwn.net/Articles/424484/ Out of an abundance of caution / paranoia, we even later went as far as to force a mass password change and new SSH key creation across all our maintainers: https://lists.fedoraproject.org/pipermail/devel-announce/2011-October/000840.html We got lucky back in 2011 that the impact was not too bad, but luck runs out eventually, so 2fa for maintainers has clear benefits in reducing risk to Fedora and its consumers. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
