On Fri, Jun 13, 2025 at 4:47 PM Ralf Gommers <ralf.gomm...@gmail.com> wrote:
> > > On Fri, Jun 13, 2025 at 11:13 AM Andrew Nelson via NumPy-Discussion < > numpy-discussion@python.org> wrote: > >> >> On Fri, 13 Jun 2025 at 16:43, Ralf Gommers via NumPy-Discussion < >> numpy-discussion@python.org> wrote: >> >>> >>> For 2FA and repository/PyPI access, we'll start making changes soon. >>> Note that GitHub has recently made changes to its 2FA settings that ask for >>> action from many people: on https://github.com/orgs/numpy/people you >>> can see that under "Two-factor authentication" the options increased; there >>> is now a Secure/Insecure distinction instead of only Enabled/Disabled. If >>> you want to move yourself from Insecure to Secure, you have to disable the >>> SMS/mobile recovery option in your personal settings under "Password and >>> authentication". A large majority of the 94 people with permissions are >>> currently marked as Insecure. >>> >> >> Having just visited this page I can't see any Two-factor authentication, >> or secure/insecure properties listed. >> > > It may only be visible to org owners then. > > >> Remember that 2FA isn't just SMS, it could be an Authenticator app, >> Physical key (yubikey), etc. >> > > Yes indeed. The other methods are considered secure by GitHub, just > SMS/mobile is not. > An update on this: 2FA is now required for anyone who is a member of the NumPy GitHub organization. The "insecure" method discussed above is still allowed, because about 65% of people are in that category - and that includes active maintainers with commit rights. Please do review this setting for yourself if you read this. I'd also like to clean up repo access. NumPy is a large project with lots of people making contributions large and small, however a decent fraction of the 94 people with access is historical, with people perhaps added as a contributor for a one-off thing 10 years ago and never removed. I have started initial cleanups, and will continue those soon, so some folks may see a "you have been removed" notification. For emeritus maintainers and others who have contributed a lot in the past, I'll aim to reach out directly to say hi and explain the changes. I don't think I want to be writing O(30) emails though, so some removals may just happen - please do feel free to reach out if you have any concern with a change. This 2FA and repo access effort is tracked in https://github.com/numpy/numpy/issues/29464. Cheers, Ralf
_______________________________________________ NumPy-Discussion mailing list -- numpy-discussion@python.org To unsubscribe send an email to numpy-discussion-le...@python.org https://mail.python.org/mailman3//lists/numpy-discussion.python.org Member address: arch...@mail-archive.com
