On Fri, Apr 12, 2024 at 4:05 PM Kevin Fenzi <kevin(a)scrye.com> wrote:
So, if FESCo decided we wanted to enforce 2fa for provenpackagers or
whatever, right now that would require some work on some scripting,
which I guess would remove people without otp? But then there would
still be a window when the user was added and before the script removed
them. Or some way for sponsors to check otp status before sponsoring
someone, but if thats manually it could be missed.
I think in any case it might be good to find all the {proven}packager
members without otp and perhaps email them a note about how to set
things up, etc.
Finding the (proven)package
members without 2FA might be a
useful thing to know in order to
influence any decision or the
implementation time frame (is it
20% or 80% of (P)Ps?).
That said, I would rather see any
such follow up directed email
happen after a FESCo decision
about 2FA is made in order to
avoid possible multiple emails
(one sent soonish saying that
you *could* add 2FA, should you
want to, and another, should
the decision be made to require
2FA, to say that you will be
required to add 2FA after some
date; one email is better).
That does presume that FESCo
will make a decision in the near
term such that any email text
can be appropriately crafted.
While there will always be some
window/edge cases, I think we
should start with the presumption
that most (proven)packagers will
wish to do the right thing, and
will use 2FA if that is the stated
requirement. After the fact
cleanup/removals as the community
now does for inactive packages
may not be ideal but is arguable
sufficient as a first step.