Gitlab update, 2FA now mandatory

Dan Leinir Turthra Jensen admin at leinir.dk
Tue Oct 25 11:19:36 BST 2022


On Tuesday, 25 October 2022 11:11:46 BST Carl Schwan wrote:
> Le dimanche 23 octobre 2022 à 5:55 PM, Christoph Cullmann (cullmann.io) 
<christoph at cullmann.io> a écrit :
> > On 2022-10-23 08:32, Ben Cooksley wrote:
> > > Hi all,
> > > 
> > > This afternoon I updated invent.kde.org [1] to the latest version of
> > > Gitlab, 15.5.
> > > Release notes for this can be found at
> > > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/
> > > 
> > > There isn't much notable feature wise in this release, however there
> > > have been some bug fixes surrounding the "Rebase without Pipeline"
> > > functionality that was introduced in an earlier update.
> > > 
> > > As part of securing Invent against recently detected suspicious
> > > activity I have also enabled Mandatory 2FA, which Gitlab will ask you
> > > to configure next time you access it. This can be done using either a
> > > Webauthn token (such as a Yubikey) or TOTP (using the app of choice on
> > > your phone)
> > > 
> > > Should you lose access to your 2FA device you can obtain a recovery
> > > token to log back in via SSH, see
> > > https://docs.gitlab.com/ee/user/profile/account/two_factor_authenticatio
> > > n.html#generate-new-recovery-codes-using-ssh for more details on this.
> > > 
> > > Please let us know if there are any queries on the above.
> > 
> > Hi,
> > 
> > whereas I can see the security benefit, this raises the hurdle for one
> > time contributors again a lot.
> > 
> > Before you already had to register to get your merge request,
> > now you need to setup this too (or at least soon it is mandatory).
> > 
> > I am not sure this is such a good thing.
> > 
> > I see a point that one wants to avoid that e.g. somebody steals my
> > account  that has enough rights to delete all branches in the Kate
> > repository via the web frontend.
> > 
> > Could the 2FA stuff perhaps be limited to people with developer role or
> > such?
> 
> Yes this would be ideal. We don't need to require 2fa for people who just
> started contributing or want to give some feedback on a MR/ticket.
> 
> This should be possible with the following features:
> https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2
> fa-for-all-users-in-a-group
> 
> We can just require 2fa for developers because with great powers come great
> responsibilities.
> 
> Cheers,
> Carl

  i concur - after spending so long trying to attract casual contributors, 
putting up a huge barrier like this is just not helpful. So, 2FA for people 
who area able to actually mess stuff up, absolutely, we have responsibility 
here and that's fine, but for casual contributors, that is precisely the sort 
of thing that just outright makes people go "lol no" and go away again, and is 
that really something we can afford?
  I absolutely applaud the attempt at increasing out trustworthiness as a 
community, and 2FA for people who can actually push things certainly helps us 
get to that, but i also can't help but notice that the particular choice of 
making it a blanket community involvement requirement, that is, in this 
particular case, was made with a somewhat narrow focus, so... just thought i'd 
lend my voice to the "Yeah, please don't make our hard won casual contributors 
go away before they even get here".

-- 
..dan / leinir..
http://leinir.dk/




More information about the kde-community mailing list