#nixos-borg on 2020-04-10

2018-04-19 20:36 gchristensen changed the topic of #nixos-borg to: https://www.patreon.com/ofborg https://monitoring.nix.ci/dashboard/db/ofborg?refresh=10s&orgId=1&from=now-1h&to=now "I get to skip reviewing the PHP code and just wait until it is rewritten in something sane, like POSIX shell. || https://logs.nix.samueldr.com/nixos-borg

01:07 gleber_ is now known as gleber

01:08 gleber is now known as gleber_

01:08 gleber_ is now known as gleber

06:42 cole-h has quit [Ping timeout: 264 seconds]

17:02 cole-h has joined #nixos-borg

18:14 orivej has quit [Ping timeout: 264 seconds]

18:35 dtz has quit [Ping timeout: 246 seconds]

18:36 dtz has joined #nixos-borg

20:16 <cole-h> gchristensen: Any value in filtering out "Reviews may only be requested from collaborators." warnings?

20:17 <gchristensen> meh...

20:17 <gchristensen> rfc39 should fix those once I get that thing going again :)

20:20 <cole-h> Don't we already have unprivileged maintainers? I'm one. I think the problem is that the user being requested either hasn't accepted the invitation to the org, or hasn't been invited yet

21:41 <MichaelRaskin> Should there be an option for maintainers who don't want to accept invitation (say, because 2FA) to opt-in to getting mentions (once per PR, if not mentioned by the time oborg gets around to it)?

22:00 <cole-h> "say, because 2FA" What does this mean? I'm unfamiliar with how orgs and stuff work on GH.

22:01 <gchristensen> some people don't want to join the nixos org because we require they apply a modicum of account security and enable 2FA

22:02 <cole-h> Oh. Lol.

22:03 <MichaelRaskin> Careful evaluation of GitHub's recommendations about 2FA setup shows that the recommended setup is no more secure than password manager enforcement, and on the other hand it is possible to enable GitHub 2FA using only a password manager on a laptop.

22:03 <gchristensen> we can't enforce a password manager, so I'll take it

22:04 <qyliss> How is it not possible to enable GitHub 2FA using only a password manager on a laptop?

22:04 <MichaelRaskin> I mean, as it is implementable using only password manager, I consider this password manager enforcement

22:04 <qyliss> Oh I misread

22:04 <MichaelRaskin> It is possible

22:04 <MichaelRaskin> I do that

22:05 <MichaelRaskin> (for some values of that…)

22:05 <qyliss> Maybe we can get yubico to sponsor us

22:05 <qyliss> And send every org member a U2F device

22:05 <MichaelRaskin> You were saying something about Crimean accounts and policies?

22:06 <gchristensen> yes but we _can't_ say "you must use a password manager!"

22:06 <MichaelRaskin> Let me introduce you to the wonderful world of customs

22:06 <gchristensen> we _can_ say "you must use 2FA!"

22:06 <MichaelRaskin> gchristensen: we can, actually.

22:06 <gchristensen> we can?

22:06 <MichaelRaskin> We can _say_ «you must use a password manager, and a good enough to implement TOTP for GitHub!»

22:07 <gchristensen> sure

22:08 <MichaelRaskin> I mean, once I found out we have _both_ CLI and GUI local TOTP stuff in Nixpkgs, I committed to the position «let 2FA be, and let me tell you you don't need a smartphone for that»

22:08 <gchristensen> sere

22:09 <gchristensen> sure*

22:11 <MichaelRaskin> (I looked up to make sure it is a typo and not some new popular abbreviation I have missed… well, SERE as a description of my position would be strange, but not nonsense, but I do not agree with that description)

22:12 <gchristensen> haha

22:21 <MichaelRaskin> What is separately nice about oathtool is that it can even be configured to tolerate my laptop's clock always being a few minutes ahead