From kde-community Tue Oct 25 12:38:08 2022 From: David Jarvie Date: Tue, 25 Oct 2022 12:38:08 +0000 To: kde-community Subject: Re: Gitlab update, 2FA now mandatory Message-Id: X-MARC-Message: https://marc.info/?l=kde-community&m=166670112719937 MIME-Version: 1 Content-Type: multipart/mixed; boundary="------VLPFYY08OS31YCPXC6EE7Z66A6NEQW" ------VLPFYY08OS31YCPXC6EE7Z66A6NEQW Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 25 October 2022 11:19:36 BST, Dan Leinir Turthra Jensen wrote: > On Tuesday, 25 October 2022 11:11:46 BST Carl Schwan wrote: > > Le dimanche 23 octobre 2022 =C3=A0 5:55 PM, Christoph Cullmann (cullma= nn=2Eio)=20 > a =C3=A9crit : > > > On 2022-10-23 08:32, Ben Cooksley wrote: > > > > Hi all, > > > >=20 > > > > This afternoon I updated invent=2Ekde=2Eorg [1] to the latest vers= ion of > > > > Gitlab, 15=2E5=2E > > > > Release notes for this can be found at > > > > https://about=2Egitlab=2Ecom/releases/2022/10/22/gitlab-15-5-relea= sed/ > > > >=20 > > > > There isn't much notable feature wise in this release, however the= re > > > > have been some bug fixes surrounding the "Rebase without Pipeline" > > > > functionality that was introduced in an earlier update=2E > > > >=20 > > > > As part of securing Invent against recently detected suspicious > > > > activity I have also enabled Mandatory 2FA, which Gitlab will ask = you > > > > to configure next time you access it=2E This can be done using eit= her a > > > > Webauthn token (such as a Yubikey) or TOTP (using the app of choic= e on > > > > your phone) > > > >=20 > > > > Should you lose access to your 2FA device you can obtain a recover= y > > > > token to log back in via SSH, see > > > > https://docs=2Egitlab=2Ecom/ee/user/profile/account/two_factor_aut= henticatio > > > > n=2Ehtml#generate-new-recovery-codes-using-ssh for more details on= this=2E > > > >=20 > > > > Please let us know if there are any queries on the above=2E > > >=20 > > > Hi, > > >=20 > > > whereas I can see the security benefit, this raises the hurdle for o= ne > > > time contributors again a lot=2E > > >=20 > > > Before you already had to register to get your merge request, > > > now you need to setup this too (or at least soon it is mandatory)=2E > > >=20 > > > I am not sure this is such a good thing=2E > > >=20 > > > I see a point that one wants to avoid that e=2Eg=2E somebody steals = my > > > account that has enough rights to delete all branches in the Kate > > > repository via the web frontend=2E > > >=20 > > > Could the 2FA stuff perhaps be limited to people with developer role= or > > > such? > >=20 > > Yes this would be ideal=2E We don't need to require 2fa for people who= just > > started contributing or want to give some feedback on a MR/ticket=2E > >=20 > > This should be possible with the following features: > > https://docs=2Egitlab=2Ecom/ee/security/two_factor_authentication=2Eht= ml#enforce-2 > > fa-for-all-users-in-a-group > >=20 > > We can just require 2fa for developers because with great powers come = great > > responsibilities=2E > >=20 > > Cheers, > > Carl >=20 > i concur - after spending so long trying to attract casual contributor= s,=20 > putting up a huge barrier like this is just not helpful=2E So, 2FA for p= eople=20 > who area able to actually mess stuff up, absolutely, we have responsibil= ity=20 > here and that's fine, but for casual contributors, that is precisely the= sort=20 > of thing that just outright makes people go "lol no" and go away again, = and is=20 > that really something we can afford? > I absolutely applaud the attempt at increasing out trustworthiness as = a=20 > community, and 2FA for people who can actually push things certainly hel= ps us=20 > get to that, but i also can't help but notice that the particular choice= of=20 > making it a blanket community involvement requirement, that is, in this= =20 > particular case, was made with a somewhat narrow focus, so=2E=2E=2E just= thought i'd=20 > lend my voice to the "Yeah, please don't make our hard won casual contri= butors=20 > go away before they even get here"=2E >=20 I agree=2E Anybody without a real commitment to KDE would be likely to be = put off by this requirement=2E I also concur with Frederik, that there are people who have no previous ex= posure to this form of 2FA=2E The only form of 2FA which I have previously = encountered is by text to my mobile phone=2E I had no idea that apps for th= is purpose existed=2E Because I develop KDE software, I have the motivation= to find out how to set up 2FA for invent=2E But if I was a casual user, th= ere is no way that I'd be prepared to spend the time and effort investigati= ng how to do it=2E It's far too big a hurdle for somebody such as me who's = not already committed to the project=2E -- David Jarvie KAlarm author, KDE developer ------VLPFYY08OS31YCPXC6EE7Z66A6NEQW Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 25 October 2022 11:19:36 BST, Dan Leinir Turt= hra Jensen <admin@leinir=2Edk> wrote:
> On Tuesday, 25 October = 2022 11:11:46 BST Carl Schwan wrote:
> > Le dimanche 23 octobre 20= 22 =C3=A0 5:55 PM, Christoph Cullmann (cullmann=2Eio)
> <christop= h@cullmann=2Eio> a =C3=A9crit :
> > > On 2022-10-23 08:32, B= en Cooksley wrote:
> > > > Hi all,
> > > > > > > > This afternoon I updated invent=2Ekde=2Eorg [1] to th= e latest version of
> > > > Gitlab, 15=2E5=2E
> > &= gt; > Release notes for this can be found at
> > > > https://about=2Egitlab=2Ecom/releases/2022/10/22/gitlab-15-5-released/<= /a>
> > > >
> > > > There isn't much notable= feature wise in this release, however there
> > > > have be= en some bug fixes surrounding the "Rebase without Pipeline"
> > &g= t; > functionality that was introduced in an earlier update=2E
> &= gt; > >
> > > > As part of securing Invent against re= cently detected suspicious
> > > > activity I have also enab= led Mandatory 2FA, which Gitlab will ask you
> > > > to conf= igure next time you access it=2E This can be done using either a
> &g= t; > > Webauthn token (such as a Yubikey) or TOTP (using the app of c= hoice on
> > > > your phone)
> > > >
>= > > > Should you lose access to your 2FA device you can obtain a = recovery
> > > > token to log back in via SSH, see
> &= gt; > > https://docs=2Egitlab=2Ecom/ee/user/profile/acc= ount/two_factor_authenticatio
> > > > n=2Ehtml#generate-= new-recovery-codes-using-ssh for more details on this=2E
> > > = >
> > > > Please let us know if there are any queries on= the above=2E
> > >
> > > Hi,
> > > > > > whereas I can see the security benefit, this raises the hu= rdle for one
> > > time contributors again a lot=2E
> >= ; >
> > > Before you already had to register to get your me= rge request,
> > > now you need to setup this too (or at least = soon it is mandatory)=2E
> > >
> > > I am not sure= this is such a good thing=2E
> > >
> > > I see a = point that one wants to avoid that e=2Eg=2E somebody steals my
> >= > account that has enough rights to delete all branches in the Kate> > > repository via the web frontend=2E
> > >
&g= t; > > Could the 2FA stuff perhaps be limited to people with develope= r role or
> > > such?
> >
> > Yes this would= be ideal=2E We don't need to require 2fa for people who just
> > = started contributing or want to give some feedback on a MR/ticket=2E
>= ; >
> > This should be possible with the following features:> > https://docs=2Egitlab=2Ecom/ee/security/two= _factor_authentication=2Ehtml#enforce-2
> > fa-for-all-users-i= n-a-group
> >
> > We can just require 2fa for developers= because with great powers come great
> > responsibilities=2E
&= gt; >
> > Cheers,
> > Carl
>
> i concu= r - after spending so long trying to attract casual contributors,
> = putting up a huge barrier like this is just not helpful=2E So, 2FA for peop= le
> who area able to actually mess stuff up, absolutely, we have re= sponsibility
> here and that's fine, but for casual contributors, th= at is precisely the sort
> of thing that just outright makes people = go "lol no" and go away again, and is
> that really something we can= afford?
> I absolutely applaud the attempt at increasing out trust= worthiness as a
> community, and 2FA for people who can actually pus= h things certainly helps us
> get to that, but i also can't help but= notice that the particular choice of
> making it a blanket communit= y involvement requirement, that is, in this
> particular case, was m= ade with a somewhat narrow focus, so=2E=2E=2E just thought i'd
> len= d my voice to the "Yeah, please don't make our hard won casual contributors=
> go away before they even get here"=2E
>

I agree=2E = Anybody without a real commitment to KDE would be likely to be put off by t= his requirement=2E

I also concur with Frederik, that there are peopl= e who have no previous exposure to this form of 2FA=2E The only form of 2FA= which I have previously encountered is by text to my mobile phone=2E I had= no idea that apps for this purpose existed=2E Because I develop KDE softwa= re, I have the motivation to find out how to set up 2FA for invent=2E But i= f I was a casual user, there is no way that I'd be prepared to spend the ti= me and effort investigating how to do it=2E It's far too big a hurdle for s= omebody such as me who's not already committed to the project=2E

--
David Jarvie
KAlarm author, KDE develop= er

------VLPFYY08OS31YCPXC6EE7Z66A6NEQW--