Re: [pytest-dev] Enabling 2FA for pytest-dev
Makes sense to me. On Thu, Dec 8, 2022 at 11:42 AM Floris Bruynooghe wrote: > I'd also be +1 on this. > > Note however that the user in question did have 2FA enabled already and > indeed this doesn't help for compromised tokens. I think we can force > some limits on what tokens are allowed, I'm not entirely sure here and > on how restricting this may turn out to be for people. > > Anyway, requiring 2FA is a decent step I support. > > Cheers, > Floris > > > On Thu 08 Dec 2022 at 13:17 -0300, Bruno Oliveira wrote: > > > Hi folks, > > > > Given the recent incident of suspicious activity using a stolen > credential > > from a pytest-dev org member, it was suggested that pytest is high-enough > > profile that we should require 2FA for all members. > > > > I'm definitely +1 on this, sending this message here in case someone > wants > > to voice concerns. > > > > Cheers, > > Bruno. > > ___ > > pytest-dev mailing list > > pytest-dev@python.org > > https://mail.python.org/mailman/listinfo/pytest-dev > ___ > pytest-dev mailing list > pytest-dev@python.org > https://mail.python.org/mailman/listinfo/pytest-dev > ___ pytest-dev mailing list pytest-dev@python.org https://mail.python.org/mailman/listinfo/pytest-dev
Re: [pytest-dev] Enabling 2FA for pytest-dev
I'd also be +1 on this. Note however that the user in question did have 2FA enabled already and indeed this doesn't help for compromised tokens. I think we can force some limits on what tokens are allowed, I'm not entirely sure here and on how restricting this may turn out to be for people. Anyway, requiring 2FA is a decent step I support. Cheers, Floris On Thu 08 Dec 2022 at 13:17 -0300, Bruno Oliveira wrote: > Hi folks, > > Given the recent incident of suspicious activity using a stolen credential > from a pytest-dev org member, it was suggested that pytest is high-enough > profile that we should require 2FA for all members. > > I'm definitely +1 on this, sending this message here in case someone wants > to voice concerns. > > Cheers, > Bruno. > ___ > pytest-dev mailing list > pytest-dev@python.org > https://mail.python.org/mailman/listinfo/pytest-dev ___ pytest-dev mailing list pytest-dev@python.org https://mail.python.org/mailman/listinfo/pytest-dev
Re: [pytest-dev] Enabling 2FA for pytest-dev
Hi folks, I intend to enable the requirement in a few hours, unless someone objects. Cheers, Bruno. On Thu, Dec 8, 2022 at 1:17 PM Bruno Oliveira wrote: > Hi folks, > > Given the recent incident of suspicious activity using a stolen credential > from a pytest-dev org member, it was suggested that pytest is high-enough > profile that we should require 2FA for all members. > > I'm definitely +1 on this, sending this message here in case someone wants > to voice concerns. > > Cheers, > Bruno. > ___ pytest-dev mailing list pytest-dev@python.org https://mail.python.org/mailman/listinfo/pytest-dev
[pytest-dev] Enabling 2FA for pytest-dev
Hi folks, Given the recent incident of suspicious activity using a stolen credential from a pytest-dev org member, it was suggested that pytest is high-enough profile that we should require 2FA for all members. I'm definitely +1 on this, sending this message here in case someone wants to voice concerns. Cheers, Bruno. ___ pytest-dev mailing list pytest-dev@python.org https://mail.python.org/mailman/listinfo/pytest-dev
Re: [pytest-dev] github compromised account on organisation
Thanks Floris. Yes, please go ahead and contact the user. I've posted a thread about this for the Core team in the pytest-dev Discussions, just for reference: https://github.com/orgs/pytest-dev/teams/core/discussions/23 Cheers, Bruno. On Thu, Dec 8, 2022 at 10:18 AM Floris Bruynooghe wrote: > Hi folks, > > Github recently sent an email warning of a member of the pytest-dev org > (I'm purposefully not adding identifiable information here) likely > having a compromised API token that may have been abused. The member in > question only has read access to all but one plugin repository so the > impact is limited. > > Nevertheless we should probably contact them to ask for them to make > sure they revoke all API tokens, replace them with more limited-scopes > ones if possible and audit the plugin. If they can't do this or don't > respond I guess we should (temporarily) restrict their access to the > plugin as well. > > I'm happy to contact them, but also didn't do so yet just in case > multiple folks jump on this. Probably one is enough. > > Cheers, > Floris > ___ > pytest-dev mailing list > pytest-dev@python.org > https://mail.python.org/mailman/listinfo/pytest-dev > ___ pytest-dev mailing list pytest-dev@python.org https://mail.python.org/mailman/listinfo/pytest-dev
[pytest-dev] github compromised account on organisation
Hi folks, Github recently sent an email warning of a member of the pytest-dev org (I'm purposefully not adding identifiable information here) likely having a compromised API token that may have been abused. The member in question only has read access to all but one plugin repository so the impact is limited. Nevertheless we should probably contact them to ask for them to make sure they revoke all API tokens, replace them with more limited-scopes ones if possible and audit the plugin. If they can't do this or don't respond I guess we should (temporarily) restrict their access to the plugin as well. I'm happy to contact them, but also didn't do so yet just in case multiple folks jump on this. Probably one is enough. Cheers, Floris ___ pytest-dev mailing list pytest-dev@python.org https://mail.python.org/mailman/listinfo/pytest-dev