On Mon, Sep 05, 2022 at 08:33:40AM +0000, Tommy Nguyen wrote:
> On Mon, 2022-09-05 at 10:13 +0200, Dominik 'Rathann' Mierzejewski
> wrote:
> > Wait, what? Which countries are 2FA token illegal in?
> > 
> > Regards,
> > Dominik
> 
> I cannot think of any reason why 2FA would be illegal in any country
> when TOTP is based on HMAC and by default uses SHA-1. 
> 
> Further if I may offer my unsolicited opinion, I am strongly in favor
> in requiring 2FA. And if doing it across the board is inconvenient, at
> least for "important" packages/roles.
> 
> There's been too many supply chain incidents (see npm, github, any
> corporate data breach, et al.) that I think Fedora would benefit from
> mandating 2FA.

Those who've been around a long time will remember that we've discovered
compromises of a Fedora maintainer's account in the past:

  https://lwn.net/Articles/424484/

Out of an abundance of caution / paranoia, we even later went as far as
to force a mass password change and new SSH key creation across all our
maintainers:

  
https://lists.fedoraproject.org/pipermail/devel-announce/2011-October/000840.html

We got lucky back in 2011 that the impact was not too bad, but luck
runs out eventually, so 2fa for maintainers has clear benefits in
reducing risk to Fedora and its consumers.


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to