> I am a strong proponent of open source. However, I believe that those who develop important projects should carefully consider the impact that their work can have. I think that for a centralized authentication system, a bypass of the two-factor authentication should be solved or at least mitigated in a timely manner: 10 months is a lot of time to fix a core feature of a security product.
What does the author propose as the solution here? Simply saying "you should be careful" isn't a solution. If you proposed a fix, where was the PR? Why is there no further discussion of what the holdups were?
My guess here, not being privy to internal communications: The RedHat folks were probably worried that a simple change like increasing the required access to add another 2FA would break some other functionality, or cause logical loopholes for situations where a user loses access to their 2nd factors. The result was that they were exceedingly careful/slow to get to testing and validation. Doesn't make it right. This guess comes from what I observed in my previous time at IBM -- I saw a lot of the company's open source contributions hung up in similar ways.