On 25/10/22 12:11, Carl Schwan wrote:
Le dimanche 23 octobre 2022 à 5:55 PM, Christoph Cullmann (cullmann.io) <christ...@cullmann.io> a écrit :On 2022-10-23 08:32, Ben Cooksley wrote:Hi all, This afternoon I updated invent.kde.org [1] to the latest version of Gitlab, 15.5. Release notes for this can be found at https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/ There isn't much notable feature wise in this release, however there have been some bug fixes surrounding the "Rebase without Pipeline" functionality that was introduced in an earlier update. As part of securing Invent against recently detected suspicious activity I have also enabled Mandatory 2FA, which Gitlab will ask you to configure next time you access it. This can be done using either a Webauthn token (such as a Yubikey) or TOTP (using the app of choice on your phone) Should you lose access to your 2FA device you can obtain a recovery token to log back in via SSH, see https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh for more details on this. Please let us know if there are any queries on the above.Hi, whereas I can see the security benefit, this raises the hurdle for one time contributors again a lot. Before you already had to register to get your merge request, now you need to setup this too (or at least soon it is mandatory). I am not sure this is such a good thing. I see a point that one wants to avoid that e.g. somebody steals my account that has enough rights to delete all branches in the Kate repository via the web frontend. Could the 2FA stuff perhaps be limited to people with developer role or such?Yes this would be ideal. We don't need to require 2fa for people who just started contributing or want to give some feedback on a MR/ticket. This should be possible with the following features: https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group We can just require 2fa for developers because with great powers come great responsibilities. Cheers, Carl
Can a first time contributor create a fork, create multiple/100 MR's and spin up CI jobs? if yes, then, first time contributors can disrupt the system.
Weren't there some suspicious accounts that were using our gitlab instance for bitcoin mining (I could be wrong, I vaguely remember someone from Sysadmin team talking about something like that)? were these first time contributors or ones with developer accounts?
-- Ahmad Samir
OpenPGP_signature
Description: OpenPGP digital signature
