On Sun, Mar 31, 2024 at 7:36 AM Arthur Bols <arthur(a)bols.dev> wrote:
On 31/03/2024 13:03, Kevin Kofler via devel wrote:
This 2FA nonsense needs to stop! GitHub has enforced compulsory 2FA for
contributors for a while, starting with "important" projects, then getting
stricter and stricter. It has done absolutely nothing to stop this attack.
How could it, when the backdoor was apparently introduced by the authorized
maintainer? (Or if not, the attacker must have had access to their 2FA
secret as well.) So, 2FA DOES NOT SOLVE THIS PROBLEM! STOP FORCING 2FA ON
US! And especially DO NOT abuse this incident as an excuse to force 2FA down
our throats, since 2FA DOES NOT SOLVE THIS PROBLEM. Sorry for being
repetitive, but you were, too. THIS 2FA NONSENSE NEEDS TO STOP!
2FA for Fedora packagers doesn't solve this issue, but that wasn't Adam's
point. What Adam is saying is that we're in danger of focusing too much on a specific
issue while we should spent our time and energy on the general security aspect of Fedora.
2FA isn't nonsense, it strengthens security by a lot. A compromised (proven)packager
account can do a lot of harm and can take a while to be noticed. If this would happen to
us, Fedora's reputation would tank immediately. Mint is still regarded as a insecure
distro (in my circles) for things that happened before I even entered the linux scene...
Like it or not, this is 2024 and passwords are not as secure as they used to be. Yelling
about it isn't going to solve anything. Meanwhile, enabling 2FA helps A LOT even if
used incorrectly (e.g. storing it in the same keepassxc database).
At this point, I'm used to MFA for stuff (and I use a password manager
that handles 2FA OTPs too), but the Fedora implementation of MFA is
uniquely bad because we have to do a lot in the terminal, and our MFA
implementation sucks for terminal usage.
If MFA is turned on:
1. The Fedora account integration in GNOME breaks
2. You need to concatenate password and OTP for getting a krb5 session ticket
3. The recovery mechanism involves GPG signed emails
The experience using 2FA for Fedora accounts is sufficiently
unpleasant that I really don't want to use it.
--
真実はいつも一つ!/ Always, there's only one truth!