Gitlab update, 2FA now mandatory

Ahmad Samir a.samirh78 at gmail.com
Wed Oct 26 12:01:00 BST 2022


On 25/10/22 15:06, Christoph Cullmann (cullmann.io) wrote:
> On 2022-10-25 14:55, Ahmad Samir wrote:
>> On 25/10/22 14:31, Christoph Cullmann (cullmann.io) wrote:
>>> On 2022-10-25 13:52, Ahmad Samir wrote:
>>>> On 25/10/22 13:29, Harald Sitter wrote:
>>>>> On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir <a.samirh78 at gmail.com>
>>>>> wrote:
>>>>>>
>>>>>> Can a first time contributor create a fork, create multiple/100
>>>>>> MR's
>>>>>> and spin up CI jobs? if yes,
>>>>>> then, first time contributors can disrupt the system.
>>>>>>
>>>>>> Weren't there some suspicious accounts that were using our gitlab
>>>>>> instance for bitcoin mining (I
>>>>>> could be wrong, I vaguely remember someone from Sysadmin team
>>>>>> talking
>>>>>> about something like that)?
>>>>>> were these first time contributors or ones with developer accounts?
>>>>>
>>>>> I'm sure 2fa doesn't help with that (:
>>>>
>>>> I am not a cyber security expert, but isn't 2FA comparable to captcha
>>>> stuff? it's not hard, but it takes some extra time. Which forum would
>>>> a
>>>> spammer target? the one with the "create account and login
>>>> immediately"
>>>> or the one with "create account, verify captcha hell, verify email
>>>> address"?
>>>
>>> That is true, but did we have concrete issues with spam accounts?
>>>
>>> And if yes, a one time captcha solving is a lot lower barrier the to
>>> need to do 2fa auth for a trivial issue
>>> Comment or merge request.
>>>
>>> At least for any part I work on in KDE the issue is manpower.
>>>
>>> Any step to make it more easier to help is good.
>>> Any step to make it harder is bad.
>>>
>>> I see the point why we not work on GitHub,
>>> I don't like to be dependent on some random company
>>> that in worst case can randomly pull the plug.
>>>
>>> But I somehow don't understand why we need to enforce
>>> this now even for new accounts without rights.
>>>
>>> I must confess I would like it even more if 2fa
>>> would only be required on doing some action that
>>> Is problematic and not just on any issue or merge
>>> request comment. But I assume that is not feasible.
>>>
>>> Greetings
>>> Christoph
>>>
>>
>> FWIW, when I log in to GitHub, they email me a pin number that I have
>> to put in the web page, for me it's exactly the same level of
>> inconvenience:
>> - "check email, find pin, copy, paste"
>> - "check app on phone, type pin"
> 
> A mail is a lot easier on many devices,
> at least for me.
> 
> My Kindle Fire can read my mails, but per default has zero otp stuff I
> could use.
> 
> Same for my different work computers.
> All can get mail, none had before any such application.
> 
> Therefore, yes, GitHub or the Steam Store work for me
> Without any extra setup effort. A mail address was
> Required anyways.
> 
> And no, not even per default KDE Plasma ships with
> any obviously well integrated otp client.
> 

In this thread Ivan said Plasma Pass has OTP support:
https://mail.kde.org/pipermail/kde-community/2022q4/007309.html

(I haven't tried it myself).

Regards,
Ahmad Samir

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://mail.kde.org/pipermail/kde-community/attachments/20221026/f13e93ea/attachment.sig>


More information about the kde-community mailing list