Gitlab update, 2FA now mandatory

Christoph Cullmann (cullmann.io) christoph at cullmann.io
Tue Oct 25 14:06:17 BST 2022 

On 2022-10-25 14:55, Ahmad Samir wrote:
> On 25/10/22 14:31, Christoph Cullmann (cullmann.io) wrote:
>> On 2022-10-25 13:52, Ahmad Samir wrote:
>>> On 25/10/22 13:29, Harald Sitter wrote:
>>>> On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir <a.samirh78 at gmail.com>
>>>> wrote:
>>>>> 
>>>>> Can a first time contributor create a fork, create multiple/100 
>>>>> MR's
>>>>> and spin up CI jobs? if yes,
>>>>> then, first time contributors can disrupt the system.
>>>>> 
>>>>> Weren't there some suspicious accounts that were using our gitlab
>>>>> instance for bitcoin mining (I
>>>>> could be wrong, I vaguely remember someone from Sysadmin team 
>>>>> talking
>>>>> about something like that)?
>>>>> were these first time contributors or ones with developer accounts?
>>>> 
>>>> I'm sure 2fa doesn't help with that (:
>>> 
>>> I am not a cyber security expert, but isn't 2FA comparable to captcha
>>> stuff? it's not hard, but it takes some extra time. Which forum would 
>>> a
>>> spammer target? the one with the "create account and login 
>>> immediately"
>>> or the one with "create account, verify captcha hell, verify email
>>> address"?
>> 
>> That is true, but did we have concrete issues with spam accounts?
>> 
>> And if yes, a one time captcha solving is a lot lower barrier the to
>> need to do 2fa auth for a trivial issue
>> Comment or merge request.
>> 
>> At least for any part I work on in KDE the issue is manpower.
>> 
>> Any step to make it more easier to help is good.
>> Any step to make it harder is bad.
>> 
>> I see the point why we not work on GitHub,
>> I don't like to be dependent on some random company
>> that in worst case can randomly pull the plug.
>> 
>> But I somehow don't understand why we need to enforce
>> this now even for new accounts without rights.
>> 
>> I must confess I would like it even more if 2fa
>> would only be required on doing some action that
>> Is problematic and not just on any issue or merge
>> request comment. But I assume that is not feasible.
>> 
>> Greetings
>> Christoph
>> 
> 
> FWIW, when I log in to GitHub, they email me a pin number that I have 
> to put in the web page, for me it's exactly the same level of 
> inconvenience:
> - "check email, find pin, copy, paste"
> - "check app on phone, type pin"

A mail is a lot easier on many devices,
at least for me.

My Kindle Fire can read my mails, but per default has zero otp stuff I 
could use.

Same for my different work computers.
All can get mail, none had before any such application.

Therefore, yes, GitHub or the Steam Store work for me
Without any extra setup effort. A mail address was
Required anyways.

And no, not even per default KDE Plasma ships with
any obviously well integrated otp client.

Greetings
Christoph

-- 
Ignorance is bliss...
https://cullmann.io | https://kate-editor.org

More information about the kde-community mailing list