Gitlab update, 2FA now mandatory

Ahmad Samir a.samirh78 at gmail.com
Tue Oct 25 13:55:30 BST 2022 

On 25/10/22 14:31, Christoph Cullmann (cullmann.io) wrote:
> On 2022-10-25 13:52, Ahmad Samir wrote:
>> On 25/10/22 13:29, Harald Sitter wrote:
>>> On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir <a.samirh78 at gmail.com>
>>> wrote:
>>>>
>>>> Can a first time contributor create a fork, create multiple/100 MR's
>>>> and spin up CI jobs? if yes,
>>>> then, first time contributors can disrupt the system.
>>>>
>>>> Weren't there some suspicious accounts that were using our gitlab
>>>> instance for bitcoin mining (I
>>>> could be wrong, I vaguely remember someone from Sysadmin team talking
>>>> about something like that)?
>>>> were these first time contributors or ones with developer accounts?
>>>
>>> I'm sure 2fa doesn't help with that (:
>>
>> I am not a cyber security expert, but isn't 2FA comparable to captcha
>> stuff? it's not hard, but it takes some extra time. Which forum would a
>> spammer target? the one with the "create account and login immediately"
>> or the one with "create account, verify captcha hell, verify email
>> address"?
> 
> That is true, but did we have concrete issues with spam accounts?
> 
> And if yes, a one time captcha solving is a lot lower barrier the to
> need to do 2fa auth for a trivial issue
> Comment or merge request.
> 
> At least for any part I work on in KDE the issue is manpower.
> 
> Any step to make it more easier to help is good.
> Any step to make it harder is bad.
> 
> I see the point why we not work on GitHub,
> I don't like to be dependent on some random company
> that in worst case can randomly pull the plug.
> 
> But I somehow don't understand why we need to enforce
> this now even for new accounts without rights.
> 
> I must confess I would like it even more if 2fa
> would only be required on doing some action that
> Is problematic and not just on any issue or merge
> request comment. But I assume that is not feasible.
> 
> Greetings
> Christoph
> 

FWIW, when I log in to GitHub, they email me a pin number that I have to put in the web page, for me 
it's exactly the same level of inconvenience:
- "check email, find pin, copy, paste"
- "check app on phone, type pin"

Regards,
Ahmad Samir

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://mail.kde.org/pipermail/kde-community/attachments/20221025/c1e93738/attachment.sig>

More information about the kde-community mailing list