On Fri, Jun 13, 2025 at 4:47 PM Ralf Gommers <ralf.gomm...@gmail.com> wrote:

>
>
> On Fri, Jun 13, 2025 at 11:13 AM Andrew Nelson via NumPy-Discussion <
> numpy-discussion@python.org> wrote:
>
>>
>> On Fri, 13 Jun 2025 at 16:43, Ralf Gommers via NumPy-Discussion <
>> numpy-discussion@python.org> wrote:
>>
>>>
>>> For 2FA and repository/PyPI access, we'll start making changes soon.
>>> Note that GitHub has recently made changes to its 2FA settings that ask for
>>> action from many people: on https://github.com/orgs/numpy/people you
>>> can see that under "Two-factor authentication" the options increased; there
>>> is now a Secure/Insecure distinction instead of only Enabled/Disabled. If
>>> you want to move yourself from Insecure to Secure, you have to disable the
>>> SMS/mobile recovery option in your personal settings under "Password and
>>> authentication". A large majority of the 94 people with permissions are
>>> currently marked as Insecure.
>>>
>>
>> Having just visited this page I can't see any Two-factor authentication,
>> or secure/insecure properties listed.
>>
>
> It may only be visible to org owners then.
>
>
>> Remember that 2FA isn't just SMS, it could be an Authenticator app,
>> Physical key (yubikey), etc.
>>
>
> Yes indeed. The other methods are considered secure by GitHub, just
> SMS/mobile is not.
>

An update on this: 2FA is now required for anyone who is a member of the
NumPy  GitHub organization. The "insecure" method discussed above is still
allowed, because about 65% of people are in that category - and that
includes active maintainers with commit rights. Please do review this
setting for yourself if you read this.


I'd also like to clean up repo access. NumPy is a large project with lots
of people making contributions large and small, however a decent fraction
of the 94 people with access is historical, with people perhaps added as a
contributor for a one-off thing 10 years ago and never removed. I have
started initial cleanups, and will continue those soon, so some folks may
see a "you have been removed" notification. For emeritus maintainers and
others who have contributed a lot in the past, I'll aim to reach out
directly to say hi and explain the changes. I don't think I want to be
writing O(30) emails though, so some removals may just happen - please do
feel free to reach out if you have any concern with a change.

This 2FA and repo access effort is tracked in
https://github.com/numpy/numpy/issues/29464.

Cheers,
Ralf
_______________________________________________
NumPy-Discussion mailing list -- numpy-discussion@python.org
To unsubscribe send an email to numpy-discussion-le...@python.org
https://mail.python.org/mailman3//lists/numpy-discussion.python.org
Member address: arch...@mail-archive.com

Reply via email to