Requiring Launchpad 2FA from Ubuntu uploaders
Philipp Kern
pkern at debian.org
Tue Aug 14 15:18:38 UTC 2018
On 2018-08-14 15:31, Robie Basak wrote:
> Launchpad 2FA is currently opt-in for everyone. However, it has been
> mandatory for Canonical employees for a number of years now. Details
> are
> documented here:
>
> https://help.ubuntu.com/community/SSO/FAQs/2FA
>
> TOTP and HOTP are supported, so this works with hardware authenticators
> such as Yubikeys as well as smartphone apps like OTP Authenticator
> (from
> F-Droid) and Google Authenticator (Play Store), etc.
>
> We[1] think this is now easy enough and standard enough not to be a
> burden, so we are inclined to implement this as a requirement for all
> Ubuntu uploaders[2]. Any objections?
>
> Robie
>
> [1] "We" means the TB and the DMB
>
> [2] By "Ubuntu uploaders" I mean anyone who can upload to the Ubuntu
> archive, which I think means all members of ~ubuntu-uploaders whether
> directly or indirectly.
It's probably worth pointing out what this is trying to protect from:
drive-by logins with stolen passwords and hence at least access to
change the upload key set is curtailed. And that's already a good thing.
There are two improvements that would be nice to have, though:
- u2f support. Getting out the HOTP token (I guess I enrolled too early
for TOTP) is annoying. But I guess a Launchpad session is pretty
permanent, so you don't actually need to reauth on the same device,
right? (Which might also be a bad thing.)
- It only protects access to Launchpad, not access to the keys that sign
the uploads and ultimately control what gets put into the archive.
Shouldn't there be a way behind 2fa to contribute to Ubuntu as well? :)
Kind regards
Philipp Kern
More information about the ubuntu-devel
mailing list