On Sun, Mar 31, 2024 at 7:36 AM Arthur Bols <arthur@xxxxxxxx> wrote: > > On 31/03/2024 13:03, Kevin Kofler via devel wrote: > > This 2FA nonsense needs to stop! GitHub has enforced compulsory 2FA for > contributors for a while, starting with "important" projects, then getting > stricter and stricter. It has done absolutely nothing to stop this attack. > How could it, when the backdoor was apparently introduced by the authorized > maintainer? (Or if not, the attacker must have had access to their 2FA > secret as well.) So, 2FA DOES NOT SOLVE THIS PROBLEM! STOP FORCING 2FA ON > US! And especially DO NOT abuse this incident as an excuse to force 2FA down > our throats, since 2FA DOES NOT SOLVE THIS PROBLEM. Sorry for being > repetitive, but you were, too. THIS 2FA NONSENSE NEEDS TO STOP! > > > 2FA for Fedora packagers doesn't solve this issue, but that wasn't Adam's point. What Adam is saying is that we're in danger of focusing too much on a specific issue while we should spent our time and energy on the general security aspect of Fedora. 2FA isn't nonsense, it strengthens security by a lot. A compromised (proven)packager account can do a lot of harm and can take a while to be noticed. If this would happen to us, Fedora's reputation would tank immediately. Mint is still regarded as a insecure distro (in my circles) for things that happened before I even entered the linux scene... > > Like it or not, this is 2024 and passwords are not as secure as they used to be. Yelling about it isn't going to solve anything. Meanwhile, enabling 2FA helps A LOT even if used incorrectly (e.g. storing it in the same keepassxc database). > At this point, I'm used to MFA for stuff (and I use a password manager that handles 2FA OTPs too), but the Fedora implementation of MFA is uniquely bad because we have to do a lot in the terminal, and our MFA implementation sucks for terminal usage. If MFA is turned on: 1. The Fedora account integration in GNOME breaks 2. You need to concatenate password and OTP for getting a krb5 session ticket 3. The recovery mechanism involves GPG signed emails The experience using 2FA for Fedora accounts is sufficiently unpleasant that I really don't want to use it. -- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
