Gitlab update, 2FA now mandatory
Ben Cooksley
bcooksley at kde.org
Wed Oct 26 10:51:08 BST 2022
On Wed, Oct 26, 2022 at 1:32 AM Christoph Cullmann (cullmann.io) <
christoph at cullmann.io> wrote:
> On 2022-10-25 13:52, Ahmad Samir wrote:
> > On 25/10/22 13:29, Harald Sitter wrote:
> >> On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir <a.samirh78 at gmail.com>
> >> wrote:
> >>>
> >>> Can a first time contributor create a fork, create multiple/100 MR's
> >>> and spin up CI jobs? if yes,
> >>> then, first time contributors can disrupt the system.
> >>>
> >>> Weren't there some suspicious accounts that were using our gitlab
> >>> instance for bitcoin mining (I
> >>> could be wrong, I vaguely remember someone from Sysadmin team talking
> >>> about something like that)?
> >>> were these first time contributors or ones with developer accounts?
> >>
> >> I'm sure 2fa doesn't help with that (:
> >
> > I am not a cyber security expert, but isn't 2FA comparable to captcha
> > stuff? it's not hard, but it takes some extra time. Which forum would a
> > spammer target? the one with the "create account and login immediately"
> > or the one with "create account, verify captcha hell, verify email
> > address"?
>
> That is true, but did we have concrete issues with spam accounts?
>
2FA and CAPTCHA's try to solve two totally different problems.
Please do not try to conflate them with each other.
CAPTCHA's are designed to prevent bots (and more recently other suspicious
actors) from taking specific actions, such as registering accounts.
Often CAPTCHA's are intended to block spammers.
2FA is designed to verify that a user is who they say they are - through
confirming they are in possession of something (whether that be a TOTP
Secret, or a Webauthn hardware token).
It is intended to defeat phishing, where legitimate and innocent user
accounts are compromised and abused by bad actors.
>
> And if yes, a one time captcha solving is a lot lower barrier the to
> need to do 2fa auth for a trivial issue
> Comment or merge request.
>
> At least for any part I work on in KDE the issue is manpower.
>
> Any step to make it more easier to help is good.
> Any step to make it harder is bad.
>
> I see the point why we not work on GitHub,
> I don't like to be dependent on some random company
> that in worst case can randomly pull the plug.
>
> But I somehow don't understand why we need to enforce
> this now even for new accounts without rights.
>
> I must confess I would like it even more if 2fa
> would only be required on doing some action that
> Is problematic and not just on any issue or merge
> request comment. But I assume that is not feasible.
>
You are correct.
2FA forms part of the process of authentication - that is confirming the
user is who they say they are.
It therefore can only be applied at the time of login.
>
> Greetings
> Christoph
>
> --
> Ignorance is bliss...
> https://cullmann.io | https://kate-editor.org
Regards,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-community/attachments/20221026/9fb6dd72/attachment.htm>
More information about the kde-community
mailing list