<cole-h>
gchristensen: Any value in filtering out "Reviews may only be requested from collaborators." warnings?
<gchristensen>
meh...
<gchristensen>
rfc39 should fix those once I get that thing going again :)
<cole-h>
Don't we already have unprivileged maintainers? I'm one. I think the problem is that the user being requested either hasn't accepted the invitation to the org, or hasn't been invited yet
<MichaelRaskin>
Should there be an option for maintainers who don't want to accept invitation (say, because 2FA) to opt-in to getting mentions (once per PR, if not mentioned by the time oborg gets around to it)?
<cole-h>
"say, because 2FA" What does this mean? I'm unfamiliar with how orgs and stuff work on GH.
<gchristensen>
some people don't want to join the nixos org because we require they apply a modicum of account security and enable 2FA
<cole-h>
Oh. Lol.
<MichaelRaskin>
Careful evaluation of GitHub's recommendations about 2FA setup shows that the recommended setup is no more secure than password manager enforcement, and on the other hand it is possible to enable GitHub 2FA using only a password manager on a laptop.
<gchristensen>
we can't enforce a password manager, so I'll take it
<qyliss>
How is it not possible to enable GitHub 2FA using only a password manager on a laptop?
<MichaelRaskin>
I mean, as it is implementable using only password manager, I consider this password manager enforcement
<qyliss>
Oh I misread
<MichaelRaskin>
It is possible
<MichaelRaskin>
I do that
<MichaelRaskin>
(for some values of that…)
<qyliss>
Maybe we can get yubico to sponsor us
<qyliss>
And send every org member a U2F device
<MichaelRaskin>
You were saying something about Crimean accounts and policies?
<gchristensen>
yes but we _can't_ say "you must use a password manager!"
<MichaelRaskin>
Let me introduce you to the wonderful world of customs
<gchristensen>
we _can_ say "you must use 2FA!"
<MichaelRaskin>
gchristensen: we can, actually.
<gchristensen>
we can?
<MichaelRaskin>
We can _say_ «you must use a password manager, and a good enough to implement TOTP for GitHub!»
<gchristensen>
sure
<MichaelRaskin>
I mean, once I found out we have _both_ CLI and GUI local TOTP stuff in Nixpkgs, I committed to the position «let 2FA be, and let me tell you you don't need a smartphone for that»
<gchristensen>
sere
<gchristensen>
sure*
<MichaelRaskin>
(I looked up to make sure it is a typo and not some new popular abbreviation I have missed… well, SERE as a description of my position would be strange, but not nonsense, but I do not agree with that description)
<gchristensen>
haha
<MichaelRaskin>
What is separately nice about oathtool is that it can even be configured to tolerate my laptop's clock always being a few minutes ahead