Re: Gitlab update, 2FA now mandatory

Tue, 25 Oct 2022 05:55:53 -0700 

On 25/10/22 14:31, Christoph Cullmann (cullmann.io) wrote:

On 2022-10-25 13:52, Ahmad Samir wrote:

On 25/10/22 13:29, Harald Sitter wrote:

On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir <a.samir...@gmail.com>
wrote:


Can a first time contributor create a fork, create multiple/100 MR's
and spin up CI jobs? if yes,
then, first time contributors can disrupt the system.

Weren't there some suspicious accounts that were using our gitlab
instance for bitcoin mining (I
could be wrong, I vaguely remember someone from Sysadmin team talking
about something like that)?
were these first time contributors or ones with developer accounts?


I'm sure 2fa doesn't help with that (:


I am not a cyber security expert, but isn't 2FA comparable to captcha
stuff? it's not hard, but it takes some extra time. Which forum would a
spammer target? the one with the "create account and login immediately"
or the one with "create account, verify captcha hell, verify email
address"?


That is true, but did we have concrete issues with spam accounts?

And if yes, a one time captcha solving is a lot lower barrier the to
need to do 2fa auth for a trivial issue
Comment or merge request.

At least for any part I work on in KDE the issue is manpower.

Any step to make it more easier to help is good.
Any step to make it harder is bad.

I see the point why we not work on GitHub,
I don't like to be dependent on some random company
that in worst case can randomly pull the plug.

But I somehow don't understand why we need to enforce
this now even for new accounts without rights.

I must confess I would like it even more if 2fa
would only be required on doing some action that
Is problematic and not just on any issue or merge
request comment. But I assume that is not feasible.

Greetings
Christoph




FWIW, when I log in to GitHub, they email me a pin number that I have to put in the web page, for me 
it's exactly the same level of inconvenience:

- "check email, find pin, copy, paste"
- "check app on phone, type pin"

Regards,
Ahmad Samir




Attachment:
OpenPGP_signature

Description: OpenPGP digital signature























					Reply via email to