René J.V. Bertin posted on Mon, 24 Oct 2022 11:02:34 +0200 as excerpted:
>> Forwarded message:
>> Date: Monday October 24 2022
>> From: KDE Invent <noreply@xxxxxxx>
>> To: rjvbertin@xxxxxxxxx Cc:
>> Subject: Your account has been deactivated
>>
>> Hello René J.V. Bertin,
>>
>> Your account has been deactivated. You will not be able to:
>> - Access Git repositories or the API.
>> - Receive any notifications from GitLab.
>> - Use slash commands.
>>
>> To reactivate your account, sign in to GitLab at
>> https://invent.kde.org/.
[insert rant about appropriate mailing-list and newsgroup etiquette quote
(trimmed to reply context if necessary) with reply below it in the
appropriate context, here. I went to the trouble of fixing it for this
reply, but if pressed for time might simply skip the reply instead.]
> This is probably not the most appropriate mailing list for the rant
> below, but here goes:
>
> I can half understand that inactive accounts get deactivated, but on
> logging in and reactivating my account I got a message that I was
> required?! to enable 2-factor auth?
>
> What on earth is the point of that on an _open source_ git server, esp.
> if you use your github credentials to log in?!
"The rest of the story" (tho of necessity incomplete at this point)
appears on the kde-core list, which being open (for reading at least, not
sure about posting) I'm subscribed to (as a newsgroup, via gmane.io, as I
am to this list/group). Because I deal with it as a newsgroup I don't
have a direct link to the thread to post, but I imagine it can be found in
the kde list web archives if you're interested.
The thread is "Gitlab update, 2FA now mandatory", with the original post
by Ben Cooksley (AFAIK the primary kde sysadmin, or perhaps the one tasked
with handling mailing-list messaging as he's the one I see posting all the
time), with a date header of Sun, 23 Oct 2022 19:32:23 +1300 (which if I
didn't reverse the polarity makes it 6:32:23 UTC, FWIW it's showing as
late Saturday for me), and it's cross-posted to the kde-core, kde-devel,
and kde-community lists/groups (with replies set to community if I'm
reading the headers correctly and they've not been too mangled by the
conversion to news-post).
Seems the kde sysadmins detected some sort of suspect attempted breakin,
the details of which they're not releasing ATM as it's an ongoing attack,
and they activated mandatory 2FA for all developer accounts (not just
inactive ones) to help tighten up defenses a bit. The thread there
doesn't mention deactivating inactive accounts tho it makes sense they'd
do that too, but it DOES say ALL developer accounts must activate 2FA now.
That explains the short 2-day grace-period timeframe as well, still
operating and with a short grace period as they detected stronger attacks
but not a full compromise, but in the interest of /keeping/ it not
compromised it's a much shorter grace period than the typical 30-90 day
that might be expected were it an entirely planned migration instead of a
somewhat forced response to an ongoing but so far apparently unsuccessful
attack.
> I hate 2FA as it incites too much to remain logged in (and to be married
> to a mobile if not recent enough smartphone).
Given the alternative of shutting down all access for the moment, and the
fact that the reality is they'd likely have to move to it eventually, I'll
take the 2FA and be glad for the 48 hours grace period, which could have
been 0!
Meanwhile, as others have posted both here and to the -core/-dev thread,
there are various open source solutions available for desktop as well as
the usual not-necessarily-open mobile options, and only a single device
(which can be a desktop/laptop as well as a mobile) is required (second
devices are generally recommended, but only required as lockout-prevention
if you're worried about losing access through the original device).
And apparently the various corporate including github's (and google's and
MS's, maybe facebooks?) 2FA systems can be used as well, according to one
post to the other thread.
Tho FWIW there's one active developer complaining rather actively/loudly
in the mentioned thread as well, but it's only one, and the situation
being what it is, I don't expect it to change much. Tho I do expect a bit
more about the attach to be made public once this is over, as is only
appropriate given the open norms of the community, but believe that would
happen regardless.
And I expect once the immediate situation is taken care of, something a
bit friendlier for newbies will be put in place as well, tho I expect the
2FA as such to remain. Maybe something like my bank does, with a one-
time-pass code that can be either texted or automated-voice-called (my
choice as I have no cellphone and my VoIP phone doesn't do texting only
voice) as appropriate.
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
