'Re: Gitlab update, 2FA now mandatory'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-community
Subject:    Re: Gitlab update, 2FA now mandatory
From:       Ahmad Samir <a.samirh78 () gmail ! com>
Date:       2022-10-25 11:21:49
Message-ID: 40268ef1-8ea9-bc53-86ce-66add0662912 () gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]

[Attachment #4 (text/plain)]

On 25/10/22 12:11, Carl Schwan wrote:
> Le dimanche 23 octobre 2022 Ă  5:55 PM, Christoph Cullmann (cullmann.io) \
> <christoph@cullmann.io> a ĂŠcrit  : 
> 
> > On 2022-10-23 08:32, Ben Cooksley wrote:
> > 
> > > Hi all,
> > > 
> > > This afternoon I updated invent.kde.org [1] to the latest version of
> > > Gitlab, 15.5.
> > > Release notes for this can be found at
> > > https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/
> > > 
> > > There isn't much notable feature wise in this release, however there
> > > have been some bug fixes surrounding the "Rebase without Pipeline"
> > > functionality that was introduced in an earlier update.
> > > 
> > > As part of securing Invent against recently detected suspicious
> > > activity I have also enabled Mandatory 2FA, which Gitlab will ask you
> > > to configure next time you access it. This can be done using either a
> > > Webauthn token (such as a Yubikey) or TOTP (using the app of choice on
> > > your phone)
> > > 
> > > Should you lose access to your 2FA device you can obtain a recovery
> > > token to log back in via SSH, see
> > > https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html#generate-new-recovery-codes-using-ssh
> > >  for more details on this.
> > > 
> > > Please let us know if there are any queries on the above.
> > 
> > 
> > Hi,
> > 
> > whereas I can see the security benefit, this raises the hurdle for one
> > time
> > contributors again a lot.
> > 
> > Before you already had to register to get your merge request,
> > now you need to setup this too (or at least soon it is mandatory).
> > 
> > I am not sure this is such a good thing.
> > 
> > I see a point that one wants to avoid that e.g. somebody steals my
> > account
> > that has enough rights to delete all branches in the Kate repository via
> > the
> > web frontend.
> > 
> > Could the 2FA stuff perhaps be limited to people with developer role or
> > such?
> 
> Yes this would be ideal. We don't need to require 2fa for people who just
> started contributing or want to give some feedback on a MR/ticket.
> 
> This should be possible with the following features:
> https://docs.gitlab.com/ee/security/two_factor_authentication.html#enforce-2fa-for-all-users-in-a-group
>  
> We can just require 2fa for developers because with great powers come great
> responsibilities.
> 
> Cheers,
> Carl
> 

Can a first time contributor create a fork, create multiple/100 MR's and spin up CI \
jobs? if yes,  then, first time contributors can disrupt the system.

Weren't there some suspicious accounts that were using our gitlab instance for \
bitcoin mining (I  could be wrong, I vaguely remember someone from Sysadmin team \
talking about something like that)?  were these first time contributors or ones with \
developer accounts?


-- 
Ahmad Samir


["OpenPGP_signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic