It's possible (and common) to write code that is both valid Python 2 and 3, like in this case.

In T550#202580, @epriestley wrote:

I'm planning to support this in the arc experimental branch, although initial support won't be optimized. We can look at ControlPath and/or adding batching to the protocol layer to improve performance once it works.

Isn't this working as designed? A user (or the public) needing access to the diffusion application in order to access repositories is exactly the behavior I would expect.

Agreed that supporting YubiKey OTP is pointless - it's impractical and basically a dead legacy feature at this point. WebAuthn has emerged as the de-facto standard for hardware tokens.

In D18651#227868, @epriestley wrote:

If users are actually building changes that depend on one anothers' unlanded changes, we could revisit this rule once we're more confident the simpler cases work.

Typo in commit message

This has been implemented in the meantime:

Thanks, greatly appreciated.

Thanks, worked perfectly!

It's just a minor thing I was briefly confused about when I used the "Create Diff" for the first time.

Specific attack scenario: Phabricator is used to host proprietary code. Someone logs into Phabricator on a shared computer and forgets to log out. That shared computer is now forever logged into his account, allowing anyone using it to access said proprietary code. If the cookie would expire or at least be session-only, the risk would be significantly lower.