team-compass icon indicating copy to clipboard operation
team-compass copied to clipboard

Published 20 hours ago verified publisher icon jupyterhub

Let's ensure all maintainers of PyPI packages enable 2FA there as well

Open consideRatio opened this issue 2 years ago • 6 comments

As PyPI marks a few of the JupyterHub orgs packages as "critical", they seem to enforce 2FA for maintainers of these. No matter what if they enforce it, I think we should.

PyPI project maintainers needing to activate 2FA

For all the PyPI projects I'm a maintainer, I found that these users were in need of activating 2FA in PyPI.

@yuvipanda, @choldgraf, @dhirschfeld (jupyterhub-ldapauthenticator), @GeorgianaElena, @leportella (jupyterhub-nativeauthenticator), @willirath (firstuseauthenticator), @samhinshaw (jupyterhub-ltiauthenticator).

Note that you may be eligable for a free 2FA device if you are a maintainer of some of the critical marked PyPI packages, and you can check here to see if you were.

Please act to setup 2FA until 8th of August, which is one month from now.

Actions taken related to bot accounts

  • I've removed nbserverproxy from having access to jupyter-server-proxy. The github actions token used is from jupyterhub-bot already.
  • I've removed mybinderteam from having access to jupyter-repo2docker. https://github.com/jupyterhub/repo2docker/pull/1166 is making sure we use jupyterhub-bot API token instead.

Related

  • https://github.com/jupyterhub/team-compass/issues/443
  • https://github.com/jupyterhub/team-compass/issues/520

Status on activated 2FA as of 2022-09-03

  • [ ] @yuvipanda
  • [x] @choldgraf
  • [x] @dhirschfeld (jupyterhub-ldapauthenticator)
  • [x] @GeorgianaElena
  • [ ] @leportella (jupyterhub-nativeauthenticator)
  • [x] @willirath (firstuseauthenticator)
  • [ ] @samhinshaw (jupyterhub-ltiauthenticator).

consideRatio avatar Jul 08 '22 17:07 consideRatio

As I no longer use ldapauthenticator at work I'm no longer active on that repo. Unfortunately, with two young kiddos, I don't have any time to work on things not at least tangentially related to my $dayjob.

That's by-the-by though - I should have 2FA on my PyPI account, so I've gone ahead and enabled that. Thanks for the nudge @consideRatio!

dhirschfeld avatar Jul 08 '22 23:07 dhirschfeld

I've ordered the free 2fa devices and they'll be here next week. I'll enable it after that :)

yuvipanda avatar Jul 09 '22 00:07 yuvipanda

I've activated 2FA.

willirath avatar Jul 11 '22 07:07 willirath

I've activated 2FA.

me too

GeorgianaElena avatar Jul 11 '22 08:07 GeorgianaElena

Hi @yuvipanda, @choldgraf, @leportella (jupyterhub-nativeauthenticator), @samhinshaw (jupyterhub-ltiauthenticator! Can you activate 2FA for your PyPI accounts?

consideRatio avatar Sep 03 '22 10:09 consideRatio

I've activated my 2FA just now - I had been waiting for my USB key in the mail but apparently there was a delivery error and now who knows when it'll come, so I just used Duo :-P

choldgraf avatar Sep 05 '22 11:09 choldgraf

Please act to setup 2FA until 8th of August, which is one month from now.

Leticia and Sam for now I've removed access to associated PyPI projects as 2FA wasn't enabled.

  • @leportella (jupyterhub-nativeauthenticator), disabled still as of 2023-02-20, removed access
  • @samhinshaw (jupyterhub-ltiauthenticator), disabled still as of 2023-02-20, removed access

With this, I think all of our PyPI projects have maintainers/owners with 2FA enabled! Closing this as resolved

consideRatio avatar Feb 20 '23 13:02 consideRatio