Le dimanche 23 octobre 2022 à 5:55 PM, Christoph Cullmann (cullmann.io) <christ...@cullmann.io> a écrit :
> On 2022-10-23 08:32, Ben Cooksley wrote: > > > Hi all, > > > > This afternoon I updated invent.kde.org [1] to the latest version of > > Gitlab, 15.5. > > Release notes for this can be found at > > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ > > > > There isn't much notable feature wise in this release, however there > > have been some bug fixes surrounding the "Rebase without Pipeline" > > functionality that was introduced in an earlier update. > > > > As part of securing Invent against recently detected suspicious > > activity I have also enabled Mandatory 2FA, which Gitlab will ask you > > to configure next time you access it. This can be done using either a > > Webauthn token (such as a Yubikey) or TOTP (using the app of choice on > > your phone) > > > > Should you lose access to your 2FA device you can obtain a recovery > > token to log back in via SSH, see > > https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh > > for more details on this. > > > > Please let us know if there are any queries on the above. > > > Hi, > > whereas I can see the security benefit, this raises the hurdle for one > time > contributors again a lot. > > Before you already had to register to get your merge request, > now you need to setup this too (or at least soon it is mandatory). > > I am not sure this is such a good thing. > > I see a point that one wants to avoid that e.g. somebody steals my > account > that has enough rights to delete all branches in the Kate repository via > the > web frontend. > > Could the 2FA stuff perhaps be limited to people with developer role or > such? Yes this would be ideal. We don't need to require 2fa for people who just started contributing or want to give some feedback on a MR/ticket. This should be possible with the following features: https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group We can just require 2fa for developers because with great powers come great responsibilities. Cheers, Carl > > Greetings > Christoph > > > Thanks, > > Ben > > > > Links: > > ------ > > [1] http://invent.kde.org > > > -- > Ignorance is bliss... > https://cullmann.io | https://kate-editor.org