On Tue, 2022-09-06 at 16:14 -0500, Jonathan Wright via devel wrote: > On Tue, Sep 6, 2022 at 3:52 PM Vitaly Zaitsev via devel < > devel@lists.fedoraproject.org> wrote: > > > On 06/09/2022 19:49, Michael Catanzaro wrote: > > > Of course, hardware authenticators would be even more secure, and > > > it > > > sure seems pretty reasonable to expect that people with commit > > > access to > > > Fedora packages are able to purchase a $25 or 30€ security key > > > [1][2].
I think most people would find it not reasonable for contributors to an open source project to pay any amount of cash, even $25, to gain packaging rights. That's tantamount to a membership or entrance fee. While I think this discussion has gone off the rails, here are my thoughts: - Why such a focus on FIDO2? It seems that nobody has discussed any alternatives. FIDO2 isn't even necessarily universally acclaimed in the infosec space - Why such a focus on devices that cost money? I have 2FA enabled on my phone with a free open source TOTP app Seems that Fedora also has no SOP in place for requisitions or funding devices for its members, otherwise I don't think this discussion would be taking place. Fedora should probably start there first, because once you talk about buying keys, do you also talk about buying Thinkpads and laptops that travel overseas to countries that are on US sanction lists (this is a slippery slope, but do you see where I'm going with this?) I think mandating software 2FA at a minimum is not that big of a buy- in, anything beyond that poses major complications. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
