[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-community
Subject:    Re: Gitlab update, 2FA now mandatory
From:       Harald Sitter <sitter () kde ! org>
Date:       2022-10-25 11:29:21
Message-ID: CAEc+18EGYSpx+9p6zYsZUoQEgAnn6Pqc8URKuJu4r50zy2S6sg () mail ! gmail ! com
[Download RAW message or body]

On Tue, Oct 25, 2022 at 1:22 PM Ahmad Samir <a.samirh78@gmail.com> wrote:
>
> On 25/10/22 12:11, Carl Schwan wrote:
> > Le dimanche 23 octobre 2022 =C3=A0 5:55 PM, Christoph Cullmann (cullman=
n.io) <christoph@cullmann.io> a =C3=A9crit :
> >
> >
> >> On 2022-10-23 08:32, Ben Cooksley wrote:
> >>
> >>> Hi all,
> >>>
> >>> This afternoon I updated invent.kde.org [1] to the latest version of
> >>> Gitlab, 15.5.
> >>> Release notes for this can be found at
> >>> https://about.gitlab.com/releases/2022/10/22/gitlab-15-5-released/
> >>>
> >>> There isn't much notable feature wise in this release, however there
> >>> have been some bug fixes surrounding the "Rebase without Pipeline"
> >>> functionality that was introduced in an earlier update.
> >>>
> >>> As part of securing Invent against recently detected suspicious
> >>> activity I have also enabled Mandatory 2FA, which Gitlab will ask you
> >>> to configure next time you access it. This can be done using either a
> >>> Webauthn token (such as a Yubikey) or TOTP (using the app of choice o=
n
> >>> your phone)
> >>>
> >>> Should you lose access to your 2FA device you can obtain a recovery
> >>> token to log back in via SSH, see
> >>> https://docs.gitlab.com/ee/user/profile/account/two_factor_authentica=
tion.html#generate-new-recovery-codes-using-ssh
> >>> for more details on this.
> >>>
> >>> Please let us know if there are any queries on the above.
> >>
> >>
> >> Hi,
> >>
> >> whereas I can see the security benefit, this raises the hurdle for one
> >> time
> >> contributors again a lot.
> >>
> >> Before you already had to register to get your merge request,
> >> now you need to setup this too (or at least soon it is mandatory).
> >>
> >> I am not sure this is such a good thing.
> >>
> >> I see a point that one wants to avoid that e.g. somebody steals my
> >> account
> >> that has enough rights to delete all branches in the Kate repository v=
ia
> >> the
> >> web frontend.
> >>
> >> Could the 2FA stuff perhaps be limited to people with developer role o=
r
> >> such?
> >
> > Yes this would be ideal. We don't need to require 2fa for people who ju=
st
> > started contributing or want to give some feedback on a MR/ticket.
> >
> > This should be possible with the following features:
> > https://docs.gitlab.com/ee/security/two_factor_authentication.html#enfo=
rce-2fa-for-all-users-in-a-group
> >
> > We can just require 2fa for developers because with great powers come g=
reat
> > responsibilities.
> >
> > Cheers,
> > Carl
> >
>
> Can a first time contributor create a fork, create multiple/100 MR's and =
spin up CI jobs? if yes,
> then, first time contributors can disrupt the system.
>
> Weren't there some suspicious accounts that were using our gitlab instanc=
e for bitcoin mining (I
> could be wrong, I vaguely remember someone from Sysadmin team talking abo=
ut something like that)?
> were these first time contributors or ones with developer accounts?

I'm sure 2fa doesn't help with that (:
[prev in list] [next in list] [prev in thread] [next in thread]