On Wed, Jul 1, 2026 at 7:32 AM Alexander Bokovoy <[email protected]> wrote:
>
> On Срд, 01 ліп 2026, Neal Gompa wrote:
> >On Wed, Jul 1, 2026 at 4:49 AM Daniel P. Berrangé <[email protected]> 
> >wrote:
> >>
> >> On Wed, Jul 01, 2026 at 10:36:04AM +0200, [email protected] wrote:
> >> > On Sun, 2026-06-28 at 15:21 -0500, Maxwell G wrote:
> >> > While this can be preferable to some more technical Fedora
> >> > contributors, to me it kinda looks like trying very hard to avoid
> >> > making a simple web app instead, that takes the content of a couple
> >> > fields, validates the content of them if possible (change type set,
> >> > owner FAS account exists, Fedora version set, etc.) and generates
> >> > outputs as needed (plaintext email summary, static web page, etc.).
> >>
> >> The problem with a "simple web app" is that while the initial job
> >> may look simple, and impl may even be simple, we then have an
> >> ongoing never ending burden to support this web app.
> >>
> >> We've got a long (and disappointing) track record in Fedora of building
> >> things and then being unable to support them sufficiently well due to
> >> lack of resources, especially when the original author moves on.
> >
> >We have a long history of not providing community support for
> >Fedora-originated projects. Infrastructure or otherwise, it's rare for
> >a project coming from Fedora to be broadly successful because there is
> >no designed intent to market them and build communities around them.
> >
> >It even happens to Fedora Linux itself, if you look at the variants
> >other than the Red Hat-supported ones.
> >
> >I would rather us go down the road of making simple web apps for this
> >stuff. What we need to own up to is that we cannot count on Fedora
> >itself to be an advocate for projects built by Fedora contributors.
> >Those contributors need to actively do community-building work
> >themselves.
> >
> >> We
> >> can't even get sufficient resources to support & develop critical
> >> infrastructure such as our accounts system (see recent discussions
> >> about its sub-optimal support for 2FA that no one has had time to
> >> improve for years).
> >>
> >
> >I mean, this one is mostly the fault of FreeIPA. It isn't designed for
> >community projects, and shoehorning it into Fedora has resulted in
> >this flaw. It won't be fixed because no corporate customer of IdM
> >needs it, since the model works for business deployments.
> >
> >It isn't going to get fixed because IdM doesn't consider Fedora an
> >important customer/stakeholder/etc for feature development.
>
> You are wrong, Neal. I don't want to spent time in fruitless discussions
> but I'd ask you to refrain from unsubstantiated statements.
>

I am not wrong. Having MFA support is not the same thing as supporting
low-touch MFA workflows. Zero-touch MFA reset has been a requested
feature ever since we started talking about MFA for packagers. We
don't have it. Instead, we have to contact an admin to reset it. No
self-service recovery code based mechanism, or email verification
mechanism, or anything of the sort. These are all things that are part
of table-stakes for account systems like ours, and we don't have it.

This is a genuine hardship, and we know that it's something that takes
actual time from people since ~15 resets have been done in the past
six months alone. Self-service resets are, from my point of view, the
only major blocker to considering mandatory MFA.



--
真実はいつも一つ!/ Always, there's only one truth!
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to