Gitlab update, 2FA now mandatory
Christoph Cullmann (cullmann.io)
christoph at cullmann.io
Thu Oct 27 10:35:18 BST 2022
On 2022-10-25 20:53, Albert Astals Cid wrote:
>> > > Hi,
>> > >
>> > > whereas I can see the security benefit, this raises the hurdle for one
>> > > time contributors again a lot.
>> > >
>> > > Before you already had to register to get your merge request,
>> > > now you need to setup this too (or at least soon it is mandatory).
>> > >
>> > > I am not sure this is such a good thing.
>> > >
>> > > I see a point that one wants to avoid that e.g. somebody steals my
>> > > account that has enough rights to delete all branches in the Kate
>> > > repository via the web frontend.
>> > >
>> > > Could the 2FA stuff perhaps be limited to people with developer role or
>> > > such?
>> >
>> > Yes this would be ideal. We don't need to require 2fa for people who just
>> > started contributing or want to give some feedback on a MR/ticket.
>> >
>> > This should be possible with the following features:
>> > https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce
>> > -2 fa-for-all-users-in-a-group
>> >
>> > We can just require 2fa for developers because with great powers come
>> > great
>> > responsibilities.
>> >
>> > Cheers,
>> > Carl
>>
>> i concur - after spending so long trying to attract casual
>> contributors,
>> putting up a huge barrier like this is just not helpful. So, 2FA for
>> people
>> who area able to actually mess stuff up, absolutely, we have
>> responsibility
>> here and that's fine, but for casual contributors, that is precisely
>> the
>> sort of thing that just outright makes people go "lol no" and go away
>> again, and is that really something we can afford?
>
> From personal experience I agree, i was going to report a VLC issue,
> their
> gitlab also uses mandatory 2FA and I was very close to just giving up,
> and
> that was something that kind of bothered me to a certain degree.
>
> I agree with making 2FA non mandatory for non KDE "powerful" account
> holders.
>
> Cheers,
> Albert
>
>> I absolutely applaud the attempt at increasing out trustworthiness
>> as a
>> community, and 2FA for people who can actually push things certainly
>> helps
>> us get to that, but i also can't help but notice that the particular
>> choice
>> of making it a blanket community involvement requirement, that is, in
>> this
>> particular case, was made with a somewhat narrow focus, so... just
>> thought
>> i'd lend my voice to the "Yeah, please don't make our hard won casual
>> contributors go away before they even get here".
Hi,
could we have this? Only mandatory 2FA for accounts with more rights?
Greetings
Christoph
--
Ignorance is bliss...
https://cullmann.io | https://kate-editor.org
More information about the kde-community
mailing list