Gitlab update, 2FA now mandatory
kevin.kofler at chello.at
Mon Oct 24 00:37:23 BST 2022
Ben Cooksley wrote:
> On Mon, Oct 24, 2022 at 3:36 AM Kevin Kofler <kevin.kofler at chello.at>
>> IMHO, this is both an absolutely unacceptable barrier to entry and a
>> constant annoyance each time one has to log in.
> You shouldn't have any issues with remaining logged in as long as your
> browser remains open.
I wrote "each time one has to log in", not "remaining logged in".
I sure hope that I just have to jump through the 2FA hoops only once per log
in and not several times. But that is still one time too many.
And "as long as your browser remains open" is at most one day. I turn the
computer off while I sleep. So if this change forces me to log in each time
I restart the browser, and hence at least each time I restart the computer
(which is currently *not* the case, I can remain logged in for days
throughout hundreds of browser sessions), that would mean going through the
2FA procedure at least every day.
> I did not supply a list of applications that people should be using as
> there is a diverse range of devices and appstore ecosystems in use by
> different people, and I don't have access to hardware such as a PinePhone
> to validate any of that.
So you are single-handedly forcing a new requirement on everyone, but are
not willing to help us in any way with it, even just by telling us how to
fulfill it. That is very unhelpful.
And you conveniently evaded my main questions:
* why such a change can be decided by one person suddenly on a Sunday
morning, with no warning (well, the software "gracefully" gives us 2 days to
comply… only two days!), let alone (transparent) discussion.
* what the point of two-factor is at all considering that you have no way to
prevent the developer from storing the password and the OTP generator on the
In short, the 2FA requirement is unacceptable and needs to be disabled
> For most people the set of addresses they will be logging in from won't
> change much (given that the vast majority of people use always-on internet
> connections now, which means IP addresses - even if theoretically dynamic
> - are in practice fairly static).
"fairly static" does not mean it never changes, as in my case. But we need
not discuss this tangent any further. The mandatory 2FA nonsense is the real
issue, let us please focus on that.
More information about the kde-core-devel