On Wed, Feb 23, 2022 at 10:33:16AM +0100, Vitaly Zaitsev via devel wrote:
> On 22/02/2022 12:33, Daniel P. Berrangé wrote:
> > Given that the accounts system already supports these OTPs, what
> > is the reason for not mandating this OTP based 2FA for*all*
> > contributors today, as oppposed to merely infra people ?
> 
> I like it, but many Fedora contributors won't be happy. Google said that
> only 10% of their users use OTP.

I presume you're referring to Google services like GMail, etc. I can
totally understand that kind of metric for the global population in
general, but I don't think the comparison is relevant or valid.

Contributing to the Fedora project comes with responsibilities,
and being asked to keep your account secured with 2fa is not an
unreasonable request from a project such as Fedora, whose output
is consumed by a huge number of users. 2fa is a standard best
practice expected from any organization that takes user account
security seriously.

There are significant implications for reputational damage to
Fedora if a contributor's account is compromised and that is
then successfully used to compromise software and get it shipped
to millions of users.

We got lucky in the past with scope of damage after an account
compromise, but we should not assume that will be the case next
time...

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to