Hi all, In https://github.com/numpy/numpy/issues/29178 I posted a proposal for steps to take to improve supply chain security. The most important proposed change is:
- Move building release artifacts that get uploaded to PyPI and anaconda.org to a new repository. Other proposed changes: - Further tighten 2FA requirements for everyone with any permissions beyond read-only on the repository. - Move GITHUB_TOKEN to read-only default permissions. - Start shipping SBOMs, in the way outlined by PEP 770 - Start verifying that our builds are fully reproducible It looks like everyone is happy with the proposal so far. Posting here for visibility. Please comment if you have any concerns or other feedback. We'll start implementation next week if there are no blocking concerns. For 2FA and repository/PyPI access, we'll start making changes soon. Note that GitHub has recently made changes to its 2FA settings that ask for action from many people: on https://github.com/orgs/numpy/people you can see that under "Two-factor authentication" the options increased; there is now a Secure/Insecure distinction instead of only Enabled/Disabled. If you want to move yourself from Insecure to Secure, you have to disable the SMS/mobile recovery option in your personal settings under "Password and authentication". A large majority of the 94 people with permissions are currently marked as Insecure. Cheers, Ralf
_______________________________________________ NumPy-Discussion mailing list -- numpy-discussion@python.org To unsubscribe send an email to numpy-discussion-le...@python.org https://mail.python.org/mailman3//lists/numpy-discussion.python.org Member address: arch...@mail-archive.com
