Fwd: Your account has been deactivated

Duncan 1i5t5.duncan at cox.net
Tue Oct 25 07:09:09 BST 2022 

René J.V. Bertin posted on Mon, 24 Oct 2022 11:02:34 +0200 as excerpted:

>> Forwarded message:
>> Date: Monday October 24 2022
>> From: KDE Invent <noreply at kde.org>
>> To: rjvbertin at gmail.com Cc:
>> Subject: Your account has been deactivated
>> 
>> Hello René J.V. Bertin,
>> 
>> Your account has been deactivated. You will not be able to:
>>   - Access Git repositories or the API.
>>   - Receive any notifications from GitLab.
>>   - Use slash commands.
>> 
>> To reactivate your account, sign in to GitLab at
>> https://invent.kde.org/.

[insert rant about appropriate mailing-list and newsgroup etiquette quote 
(trimmed to reply context if necessary) with reply below it in the 
appropriate context, here.  I went to the trouble of fixing it for this 
reply, but if pressed for time might simply skip the reply instead.]

> This is probably not the most appropriate mailing list for the rant
> below, but here goes:
> 
> I can half understand that inactive accounts get deactivated, but on
> logging in and reactivating my account I got a message that I was
> required?! to enable 2-factor auth?
> 
> What on earth is the point of that on an _open source_ git server, esp.
> if you use your github credentials to log in?! 

"The rest of the story" (tho of necessity incomplete at this point) 
appears on the kde-core list, which being open (for reading at least, not 
sure about posting) I'm subscribed to (as a newsgroup, via gmane.io, as I 
am to this list/group).  Because I deal with it as a newsgroup I don't 
have a direct link to the thread to post, but I imagine it can be found in 
the kde list web archives if you're interested.

The thread is "Gitlab update, 2FA now mandatory", with the original post 
by Ben Cooksley (AFAIK the primary kde sysadmin, or perhaps the one tasked 
with handling mailing-list messaging as he's the one I see posting all the 
time), with a date header of Sun, 23 Oct 2022 19:32:23 +1300 (which if I 
didn't reverse the polarity makes it 6:32:23 UTC, FWIW it's showing as 
late Saturday for me), and it's cross-posted to the kde-core, kde-devel, 
and kde-community lists/groups (with replies set to community if I'm 
reading the headers correctly and they've not been too mangled by the 
conversion to news-post).

Seems the kde sysadmins detected some sort of suspect attempted breakin, 
the details of which they're not releasing ATM as it's an ongoing attack, 
and they activated mandatory 2FA for all developer accounts (not just 
inactive ones) to help tighten up defenses a bit.  The thread there 
doesn't mention deactivating inactive accounts tho it makes sense they'd 
do that too, but it DOES say ALL developer accounts must activate 2FA now.

That explains the short 2-day grace-period timeframe as well, still 
operating and with a short grace period as they detected stronger attacks 
but not a full compromise, but in the interest of /keeping/ it not 
compromised it's a much shorter grace period than the typical 30-90 day 
that might be expected were it an entirely planned migration instead of a 
somewhat forced response to an ongoing but so far apparently unsuccessful 
attack.

> I hate 2FA as it incites too much to remain logged in (and to be married
> to a mobile if not recent enough smartphone).

Given the alternative of shutting down all access for the moment, and the 
fact that the reality is they'd likely have to move to it eventually, I'll 
take the 2FA and be glad for the 48 hours grace period, which could have 
been 0!

Meanwhile, as others have posted both here and to the -core/-dev thread, 
there are various open source solutions available for desktop as well as 
the usual not-necessarily-open mobile options, and only a single device 
(which can be a desktop/laptop as well as a mobile) is required (second 
devices are generally recommended, but only required as lockout-prevention 
if you're worried about losing access through the original device).

And apparently the various corporate including github's (and google's and 
MS's, maybe facebooks?) 2FA systems can be used as well, according to one 
post to the other thread.

Tho FWIW there's one active developer complaining rather actively/loudly 
in the mentioned thread as well, but it's only one, and the situation 
being what it is, I don't expect it to change much.  Tho I do expect a bit 
more about the attach to be made public once this is over, as is only 
appropriate given the open norms of the community, but believe that would 
happen regardless.

And I expect once the immediate situation is taken care of, something a 
bit friendlier for newbies will be put in place as well, tho I expect the 
2FA as such to remain.  Maybe something like my bank does, with a one-
time-pass code that can be either texted or automated-voice-called (my 
choice as I have no cellphone and my VoIP phone doesn't do texting only 
voice) as appropriate.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

More information about the kde mailing list