Gitlab update, 2FA now mandatory

Albert Astals Cid aacid at kde.org
Tue Oct 25 19:53:03 BST 2022 

El dimarts, 25 d’octubre de 2022, a les 12:19:36 (CEST), Dan Leinir Turthra 
Jensen va escriure:
> On Tuesday, 25 October 2022 11:11:46 BST Carl Schwan wrote:
> > Le dimanche 23 octobre 2022 à 5:55 PM, Christoph Cullmann (cullmann.io)
> 
> <christoph at cullmann.io> a écrit :
> > > On 2022-10-23 08:32, Ben Cooksley wrote:
> > > > Hi all,
> > > > 
> > > > This afternoon I updated invent.kde.org [1] to the latest version of
> > > > Gitlab, 15.5.
> > > > Release notes for this can be found at
> > > > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/
> > > > 
> > > > There isn't much notable feature wise in this release, however there
> > > > have been some bug fixes surrounding the "Rebase without Pipeline"
> > > > functionality that was introduced in an earlier update.
> > > > 
> > > > As part of securing Invent against recently detected suspicious
> > > > activity I have also enabled Mandatory 2FA, which Gitlab will ask you
> > > > to configure next time you access it. This can be done using either a
> > > > Webauthn token (such as a Yubikey) or TOTP (using the app of choice on
> > > > your phone)
> > > > 
> > > > Should you lose access to your 2FA device you can obtain a recovery
> > > > token to log back in via SSH, see
> > > > https://docs.gitlab.com/ee/user/profile/account/two_factor_authenticat
> > > > io
> > > > n.html#generate-new-recovery-codes-using-ssh for more details on this.
> > > > 
> > > > Please let us know if there are any queries on the above.
> > > 
> > > Hi,
> > > 
> > > whereas I can see the security benefit, this raises the hurdle for one
> > > time contributors again a lot.
> > > 
> > > Before you already had to register to get your merge request,
> > > now you need to setup this too (or at least soon it is mandatory).
> > > 
> > > I am not sure this is such a good thing.
> > > 
> > > I see a point that one wants to avoid that e.g. somebody steals my
> > > account  that has enough rights to delete all branches in the Kate
> > > repository via the web frontend.
> > > 
> > > Could the 2FA stuff perhaps be limited to people with developer role or
> > > such?
> > 
> > Yes this would be ideal. We don't need to require 2fa for people who just
> > started contributing or want to give some feedback on a MR/ticket.
> > 
> > This should be possible with the following features:
> > https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce
> > -2 fa-for-all-users-in-a-group
> > 
> > We can just require 2fa for developers because with great powers come
> > great
> > responsibilities.
> > 
> > Cheers,
> > Carl
> 
>   i concur - after spending so long trying to attract casual contributors,
> putting up a huge barrier like this is just not helpful. So, 2FA for people
> who area able to actually mess stuff up, absolutely, we have responsibility
> here and that's fine, but for casual contributors, that is precisely the
> sort of thing that just outright makes people go "lol no" and go away
> again, and is that really something we can afford?

From personal experience I agree, i was going to report a VLC issue, their 
gitlab also uses mandatory 2FA and I was very close to just giving up, and 
that was something that kind of bothered me to a certain degree.

I agree with making 2FA non mandatory for non KDE "powerful" account holders.

Cheers,
  Albert

>   I absolutely applaud the attempt at increasing out trustworthiness as a
> community, and 2FA for people who can actually push things certainly helps
> us get to that, but i also can't help but notice that the particular choice
> of making it a blanket community involvement requirement, that is, in this
> particular case, was made with a somewhat narrow focus, so... just thought
> i'd lend my voice to the "Yeah, please don't make our hard won casual
> contributors go away before they even get here".

More information about the kde-community mailing list