[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa update: no more "-guest" and more

Bernd Zeimetz <bernd@bzed.de> writes:

> On 4/25/20 10:05 PM, IOhannes m zmölnig (Debian/GNU) wrote:
>> On 4/25/20 8:34 PM, Bernd Zeimetz wrote:
>>> Hi, 
>>> https://docs.gitlab.com/ee/security/two_factor_authentication.html
>>> Enforce that (if Salsa is doing that in the meantime,  ignore me).
>> i hope you don't suggest to enforce 2FA system-wide for all users of salsa.
>> i read you original mail as a requirement to enforce 2FA for users who
>> want to use salsa as an authentication provider for their own
>> applications (which is fine with me)
> Actually I think 2FA should be enforced for everybody.
> Even debian.org related passwords might get lost.

Right, but what's the threat model here? For some of us, losing the
Salsa password is essentially only possible if we have had our PGP
dongle or offline private key backup compromised. In this case, the
attacker can sign uploads to the archive anyway, which is arguably more
serious than a compromised Salsa account.

 -- Gard

Reply to: