Gitlab update, 2FA now mandatory

[Christoph Cullmann (cullmann.io)]

On 2022-10-25 13:52, Ahmad Samir wrote:
> On 25/10/22 13:29, Harald Sitter wrote:
>> On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir <a.samirh78 at gmail.com> 
>> wrote:
>>> 
>>> Can a first time contributor create a fork, create multiple/100 MR's 
>>> and spin up CI jobs? if yes,
>>> then, first time contributors can disrupt the system.
>>> 
>>> Weren't there some suspicious accounts that were using our gitlab 
>>> instance for bitcoin mining (I
>>> could be wrong, I vaguely remember someone from Sysadmin team talking 
>>> about something like that)?
>>> were these first time contributors or ones with developer accounts?
>> 
>> I'm sure 2fa doesn't help with that (:
> 
> I am not a cyber security expert, but isn't 2FA comparable to captcha 
> stuff? it's not hard, but it takes some extra time. Which forum would a 
> spammer target? the one with the "create account and login immediately" 
> or the one with "create account, verify captcha hell, verify email 
> address"?

That is true, but did we have concrete issues with spam accounts?

And if yes, a one time captcha solving is a lot lower barrier the to 
need to do 2fa auth for a trivial issue
Comment or merge request.

At least for any part I work on in KDE the issue is manpower.

Any step to make it more easier to help is good.
Any step to make it harder is bad.

I see the point why we not work on GitHub,
I don't like to be dependent on some random company
that in worst case can randomly pull the plug.

But I somehow don't understand why we need to enforce
this now even for new accounts without rights.

I must confess I would like it even more if 2fa
would only be required on doing some action that
Is problematic and not just on any issue or merge
request comment. But I assume that is not feasible.

Greetings
Christoph

-- 
Ignorance is bliss...
https://cullmann.io | https://kate-editor.org