honey it's 4pm, time for your daily rebase
@Mastodon
That' s an impressie huge Changelog ! Great work.
Profile notes! 😄🎉
@Mastodon
> Add e-mail-based sign in challenge for users with disabled 2FA
> If user tries signing in after:
>
> * Being inactive for a while
> * With a previously unknown IP
> * Without 2FA being enabled
> Require to enter a token sent via e-mail before sigining in
Eew…(((
@loganer @Mastodon @tennoseremel What’s the problem?
"Require to enter a token sent via e-mail before sigining in"
that is just email based 2FA.
steam does this and i think its the superior 2FA.
but when taking into context
"Add e-mail-based sign in challenge for users with disabled 2FA"
basically either 1. its not well defined or 2.you are ignoring the users request.
@Gargron Aside from requiring to do something the user opted-out of?
Let's see:
* leaking more data to email provider;
* creating problems/annoyances logging in, especially if your email provider is blocked in your country and you have to run Tor or something to access it;
* then there can also be a problem when I'd want to login from a device which has no access to email or such an access is undesirable.
what i personally would love to see is this being optional because i actually love email based 2fa and i can not use phone based 2fa because i don't have one.
but it definitely should have its own separate option to toggle it.
@loganer @tennoseremel Did y'all miss how it only activates if you haven't signed in for a while (2 weeks, to be exact) and only if you're trying to sign in from an IP you haven't signed in from before? Your hijacked account is a liability for the whole network, so no, you don't get a choice about how we safeguard inactive accounts from being hijacked.
@Gargron Which is:
a) rather short;
b) still does what the user opted-out of;
c) IP doesn't matter as it changes daily pretty much for everyone.
2 weeks is not hijacked, it's barely a vacation.
I'd expect such a move from big brother companies (you haven't logged in in X amount of time, punishment time), not an open source project.
@tennoseremel @loganer I think you're misunderstanding something. Mastodon sessions don't expire for like, a year. Once you're logged in, you're logged in. This is about displaying a challenge when you try to login from a browser where you don't already have a session.
@tennoseremel @loganer What you have to understand is:
1. People tend to namesquat on Mastodon (reserve username, stop paying attention indefinitely)
2. People tend to re-use passwords between different websites and often pop up on haveibeenpwned.com
3. People who namesquat often have bad password security and don't bother setting up 2FA
As a result, we've been dealing with a lot of account hijackings on Mastodon. Spammers take over legit looking accounts and transform them into spam.
just please communicate the real intent of the options to the users of the software.
if it is that 2FA is disabled then it is disabled.
@tennoseremel @loganer I will do no such thing. Enabling 2FA requires a TOTP app, and a TOTP token is then required on every new login, not a heuristic like suspiciousness. This isn't 2FA.
it is 2 Factors you need to Authenticate with.
2FA separated by some random time is still 2FA
and email based 2FA is still 2FA
pleroma also does not well define 'Outgoing blocks'
even if one or the other must be active , then you should properly define it because disabled is not "use something else".
@Mastodon
Bondiou ! Je suis en retard !!
Server run by the main developers of the project 
It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!
@Mastodon "Album art is automatically extracted from audio files"
oh that's nice