On Mon, Sep 05, 2022 at 08:33:40AM +0000, Tommy Nguyen wrote:
On Mon, 2022-09-05 at 10:13 +0200, Dominik 'Rathann'
Mierzejewski
wrote:
> Wait, what? Which countries are 2FA token illegal in?
>
> Regards,
> Dominik
I cannot think of any reason why 2FA would be illegal in any country
when TOTP is based on HMAC and by default uses SHA-1.
Further if I may offer my unsolicited opinion, I am strongly in favor
in requiring 2FA. And if doing it across the board is inconvenient, at
least for "important" packages/roles.
There's been too many supply chain incidents (see npm, github, any
corporate data breach, et al.) that I think Fedora would benefit from
mandating 2FA.
Those who've been around a long time will remember that we've discovered
compromises of a Fedora maintainer's account in the past:
https://lwn.net/Articles/424484/
Out of an abundance of caution / paranoia, we even later went as far as
to force a mass password change and new SSH key creation across all our
maintainers:
https://lists.fedoraproject.org/pipermail/devel-announce/2011-October/000...
We got lucky back in 2011 that the impact was not too bad, but luck
runs out eventually, so 2fa for maintainers has clear benefits in
reducing risk to Fedora and its consumers.
With regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|