Received: from vps892.directvps.nl (ikke.info [178.21.113.177])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id B6C37781D70
	for <~alpine/devel@lists.alpinelinux.org>; Tue,  3 Mar 2020 22:25:07 +0000 (UTC)
Received: by vps892.directvps.nl (Postfix, from userid 1008)
	id 6FEAC4400E2; Tue,  3 Mar 2020 23:25:06 +0100 (CET)
Date: Tue, 3 Mar 2020 23:25:06 +0100
From: Kevin Daudt <kdaudt@alpinelinux.org>
To: ~alpine/devel@lists.alpinelinux.org
Subject: Requiring 2FA for Gitlab for Alpine Linux developers
Message-ID: <20200303222506.GB1323425@alpha>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hello,

It is our intention to make our Gitlab instance the canonical source for
aports. In order to ensure the integrity of aports, we are going to
require everyone with push access to alpine/aports to setup 2FA[0]. 

This can either be done through TOTP, or additionally with your favorite
U2F capable token.

Cases like the [Gentoo security incident] make it clear that we need to
Be pro-active in our security procedures.

We will enable this for everyone who has push access to aports. Once we
switch to Gitlab as cannonical source, it will no longer be possible for
these members to login without setting up a 2nd factor.

Let us know if you have any questions or remarks.

The Alpine Team

[0]: https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html
[1]: https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident_Reports/2018-06-28_Github