Re: Proposal to the TSC: enable 2FA requirement across all orgs


Brian Behlendorf
 

Thanks Andy.  I'm also guessing it's not possible to require 2FA across only some GH repos within a given org.

The quickest/best approach then is likely some sort of survey of committers (as measured by commits to any repo over the last say 3 months) asking each to confirm they're using 2FA.  Then those who haven't yet confirmed can be followed up with to make sure there's no technical barrier keeping them from moving.  After some window of time (say a month), given no technical barriers, it's enabled for all repos and orgs.

It is probably worth a vote on the TSC on the policy question: should 2FA be a requirement for commits? If yes, then we can figure out a rollout strategy that best balances notice and grace with expediency.

Brian

On 6/3/19 8:26 AM, Andrew Grimberg wrote:
No, that's not actually possible. You can verify if a change comes in
with a GPG signature on it, but not if a particular account is using 2FA
for access to the GitHub UI. Those are two distinctly different things.

As an aside, we currently have a change under review [0] against lftools
that will allow someone with admin rights on a GH org to get an "audit"
of the org including who does and does not have 2FA enabled.

-Andy-

[0] https://gerrit.linuxfoundation.org/infra/c/releng/lftools/+/15264

On 5/30/19 3:41 PM, Brian Behlendorf wrote:
Can we tell which commits come in without 2FA?

Brian

On 5/30/19 2:02 PM, Christopher Ferris wrote:
You should give a warning. You can add all github ids to a team and @
the team. Maybe give a few days to remediate. I approve subject to
advance warning and update to contributors guides.

Cheers,

Christopher Ferris
IBM Fellow, CTO Open Technology
IBM Digital Business Group, Open Technologies
email: chrisfer@... <mailto:chrisfer@...>
twitter: @christo4ferris
blog: https://developer.ibm.com/code/author/chrisfer/
IBM Open Source white
paper: https://developer.ibm.com/articles/cl-open-architecture-update/
phone: +1 508 667 0402 <tel:+1%20508%20667%200402>

On May 30, 2019, at 4:54 PM, Ry Jones <rjones@...
<mailto:rjones@...>> wrote:

In light of recent discussions on this mailing list,
<https://lists.hyperledger.org/g/tsc/message/2295> I ask the TSC to
vote by email on enabling 2FA for the Hyperledger and Hyperledger
Labs orgs.

We will lose many members that are committers. It will cause turbulence.
Ry
--
Ry Jones
Community Architect, Hyperledger
Chat <https://www.youtube.com/watch?v=EEc4JRyaAoA>: @rjones
<https://chat.hyperledger.org/direct/rjones>
--
Brian Behlendorf
Executive Director, Hyperledger
bbehlendorf@...
Twitter: @brianbehlendorf

--
Brian Behlendorf
Executive Director, Hyperledger
bbehlendorf@...
Twitter: @brianbehlendorf

Join toc@lists.hyperledger.org to automatically receive all group messages.