On Wed, 14 Sept 2022 at 05:28, Alexander Bokovoy <abokovoy@redhat.com> wrote:

Sadly, it cannot be just 'any' certificate, it has to be issued by a
certificate authority that is trusted by the KDC as well. For example,
by FreeIPA CA which is already ran by the Fedora project infrastructure
team. An alternative is to set up certificate mapping and validating

If someone from Fedora Accounts team wants to experiment with this, I
can guide you what to do.

There is no continual running Fedora Accounts 'team'. There are 2-3 system administrators split between releng, operations and  continual firefighting. There are also a team of developers who are split between CentOS Stream initiatives and other work. Changes like this need to have more than just an 'oh I have finally an afternoon free where all the other crap in the build infra is actually working for once.. lets dive into IPA'

As much as I enjoy better security, everyone should remember that the ones affected are either packagers who are volunteering to make spec files for software they need for something else.. or developers who only look at spec files as the last hassle they need to do before they can mark on their list 'shipped and done'. Most of them do not package/build things very often, and it takes years for them to get retrained when some change in the workflow occurs. 

They are also the only ones around to do the work. Making workflow changes like adding certificates, tokens, etc may be needed but they are going to need a lot of documentation, continual training, and coaching to actually make function. If there is no staff or people available to do this, then the change will fail hard.

Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren