On 25/10/22 15:06, Christoph Cullmann (cullmann.io) wrote:
On 2022-10-25 14:55, Ahmad Samir wrote:On 25/10/22 14:31, Christoph Cullmann (cullmann.io) wrote:On 2022-10-25 13:52, Ahmad Samir wrote:On 25/10/22 13:29, Harald Sitter wrote:On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir <a.samir...@gmail.com> wrote:Can a first time contributor create a fork, create multiple/100 MR's and spin up CI jobs? if yes, then, first time contributors can disrupt the system. Weren't there some suspicious accounts that were using our gitlab instance for bitcoin mining (I could be wrong, I vaguely remember someone from Sysadmin team talking about something like that)? were these first time contributors or ones with developer accounts?I'm sure 2fa doesn't help with that (:I am not a cyber security expert, but isn't 2FA comparable to captcha stuff? it's not hard, but it takes some extra time. Which forum would a spammer target? the one with the "create account and login immediately" or the one with "create account, verify captcha hell, verify email address"?That is true, but did we have concrete issues with spam accounts? And if yes, a one time captcha solving is a lot lower barrier the to need to do 2fa auth for a trivial issue Comment or merge request. At least for any part I work on in KDE the issue is manpower. Any step to make it more easier to help is good. Any step to make it harder is bad. I see the point why we not work on GitHub, I don't like to be dependent on some random company that in worst case can randomly pull the plug. But I somehow don't understand why we need to enforce this now even for new accounts without rights. I must confess I would like it even more if 2fa would only be required on doing some action that Is problematic and not just on any issue or merge request comment. But I assume that is not feasible. Greetings ChristophFWIW, when I log in to GitHub, they email me a pin number that I have to put in the web page, for me it's exactly the same level of inconvenience: - "check email, find pin, copy, paste" - "check app on phone, type pin"A mail is a lot easier on many devices, at least for me. My Kindle Fire can read my mails, but per default has zero otp stuff I could use. Same for my different work computers. All can get mail, none had before any such application. Therefore, yes, GitHub or the Steam Store work for me Without any extra setup effort. A mail address was Required anyways. And no, not even per default KDE Plasma ships with any obviously well integrated otp client.
In this thread Ivan said Plasma Pass has OTP support: https://mail.kde.org/pipermail/kde-community/2022q4/007309.html (I haven't tried it myself). Regards, Ahmad Samir
OpenPGP_signature
Description: OpenPGP digital signature