[python-committers] Saying hello as a new core dev
Hi, python-committers! That's huge, for me, to receive this notification "Your now a core developer, congratulations!" thanks everyone here! And waw, your messages in your votes to bring me in are heartwarming, as I said yesterday they validate, again and again, the ancient adage "Come for the language, stay for the community". -- Julien Palard https://mdk.fr ___ python-committers mailing list [email protected] https://mail.python.org/mailman/listinfo/python-committers Code of Conduct: https://www.python.org/psf/codeofconduct/
Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email
Antoine Pitrou : > I don't know what security experts think, but the idea of having to > print and keep around recovery codes (for each and every website I > enable 2FA on!) sounds completely braindead to me. > Do you expect to be able to find back a random piece of paper in 5 > years? I certainly don't. The basic idea of 2FA is to cumulate something you know and something you have. Recovery codes are on the "something you have" side, they are not a secret, they are a possession, so it's completly OK to keep your recovery codes in your wallet. It's even a good practice to keep them in your wallet: You know where they are and they're accessible. If you break the "thing you have" you can still identify yourself even if you're out of your house. If you loose your wallet, (got it stolen, dropped in the ocean, whatever), it's no big deal: just regenerate the codes, nobody know your password, your security is not broken. In other words, the thief stealing a wallet is not the guy stealing password, so everything's good, and you have to regereate your recovery codes faster than they can meet (should be easy). To reply to you other answer, it's not really OK to store your password and your 2FA generating program on the same hardware, it breaks the "something you know and something you have" separation, it's reduced to something you have, it does no longer need two clearly separated steps to be broken. -- Julien Palard https://mdk.fr ___ python-committers mailing list [email protected] https://mail.python.org/mailman/listinfo/python-committers Code of Conduct: https://www.python.org/psf/codeofconduct/
Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email
Antoine Pitrou : > A random piece of paper in my wallet may not have an extremely long > lifetime (paper is fragile). And one piece of paper might be ok, but > what if I need one for every 2FA-enabled Web site? It's a legitimate question, so I'm taking mine out right now to check. I use a single folded paper of like 20cm×10cm, so folded twice it take less than a standard card, and it's in a good shape as it's stored in a flat compartment of my wallet (I'm having it since like 6 months, I do not remember the "bad shape" of my previous one when I changed it). I'm currently having 7 sevices on it, with 6 codes for each of them, there's still room for 4 services if I dont start using both sides. It's handwritten as I didn't had a printer at that time (yes, it's a PITA to write them all, I now have a printer and try with it next time). So from my point of view it's totally OK to store them as a folded sheet of paper in a wallet, as long as you can print and cut them: I agree, handwriting them is really something I would not recommend. Also, renewing all codes (if your wallet get stolen) take a huge amount of time if you have codes for, say more than 5 sevices, it's something to consider, but does not happen often. While I'm at it, applications like Google Authenticator does *not* display favicon or whatever, just the name of the service, it starts to be annoying up to 10 registered services (almost two screen long of OTP being generated). Also, I consider receiving OTP over SMS a bad solution: you may not receive them in some places or some countries besides being relatively easy to intercept (by someone really wanting them, they could just buy a big wrench for $10 at this point). -- Julien Palard https://mdk.fr ___ python-committers mailing list [email protected] https://mail.python.org/mailman/listinfo/python-committers Code of Conduct: https://www.python.org/psf/codeofconduct/
Re: [python-committers] Poll: Do you like the PEP 572 Assignment Expressions?
-1 -- Julien Palard https://mdk.fr ___ python-committers mailing list [email protected] https://mail.python.org/mailman/listinfo/python-committers Code of Conduct: https://www.python.org/psf/codeofconduct/
Re: [python-committers] New core developers: Lisa Roach and Emily Morehouse-Valcarcel
> At the developer sprints this week, we collectively decided to grant core > committer status to Emily and Lisa. Congratulations and Welcome!! -- Julien Palard https://mdk.fr ___ python-committers mailing list [email protected] https://mail.python.org/mailman/listinfo/python-committers Code of Conduct: https://www.python.org/psf/codeofconduct/
Re: [python-committers] Vote to promote Stéphane Wirtel as a core dev
> Julien Palard and me (Victor) propose to promote Stéphane Wirtel as > core developer. It's probably obvious, but still: +1! I've met Stéphane multiple times at Python related events, worked with him on various occasions, and everytime it's a pleasure! -- Julien Palard https://mdk.fr ___ python-committers mailing list [email protected] https://mail.python.org/mailman/listinfo/python-committers Code of Conduct: https://www.python.org/psf/codeofconduct/
[python-committers] Publish better than md5sums of Python builds?
Hi, Someone on Mastodon had me noticed that: => https://www.python.org/downloads/release/python-392/ gives the md5 sum of Python builds, and that we should probably do better. What about sha256? Has it been discussed already? Bests, -- [Julien Palard](https://mdk.fr) ___ python-committers mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/M5LUTV7MRIJHHSWJJRN5TJJG3KUVBVBU/ Code of Conduct: https://www.python.org/psf/codeofconduct/
[python-committers] Re: Publish better than md5sums of Python builds?
Le 2021-03-16 à 15:52, Christian Heimes a écrit : > could you please explain your use case? Which problem are you trying to > solve? How would a sha256 checksum help you solve that problem? No, I'm just forwarding the surprise of a user seen on a random social network (I'm monitoring the python hashtag on mastodon those days). Feel free to follow-up with the original poster: => https://mastodon.technology/@musicmatze/105898597559877474 (mastodon does not need you to have an account on mastodon.technology in particular, any mastodon account will do to interact with him, or ask me to ask him an email in private if you prefer). -- [Julien Palard](https://mdk.fr) ___ python-committers mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/OW2G45UUYLUQLBN7PKJBQKGHJ63VJBYB/ Code of Conduct: https://www.python.org/psf/codeofconduct/
[python-committers] Re: PyCon US passes for core devs
Le 2021-03-17 à 16:22, Ewa Jodlowska a écrit : > If you are interested in a free pass to PyCon US, please apply for > financial aid via your dashboard Thanks for letting us know Ewa! One question: Do we already now on which conferencing system this PyCon will run? Bests, -- [Julien Palard](https://mdk.fr) ___ python-committers mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/EVEMKKRYXV3FIRNERLOIRC6RXSS252IR/ Code of Conduct: https://www.python.org/psf/codeofconduct/
[python-committers] Re: Please make sure you're following good security practices with your GitHub account
I do use a Yubikey too. Le 6/14/21 à 11:27 PM, Tim Peters a écrit : > If I buy one and plug it in, and that's the end of it, fine by me That's almost as simple as you want: - In Github settings 2FA tab you'll have to hit a "Register a new security key" button, it make your key "blink" (blinking mean: please touch the key to allow this action). - Then every time you login your key blinks and you have to touch it to allow this action. And that's it. It uses an open standard called U2F [1] which works on a variety of setups (it works with Firefox on Debian for example). It also works on pypi.org \o/. If the PSF is willing to help financially, I'd recommend everyone to buy (and register) two keys: a primary key and a backup key in case you loose or break the first one. I personally have a USB-C key and a USB-A key, so I can choose my key according to the USB port I need to use. Then optionally you can setup a PIV application on the key to store your private ssh key, and use PKCS11 to forward ssh connexions challenges to be resolved by the key. The big advantage is: your private key never leave the key (which is write-only). It's way more complicated than U2F though! [1]: https://en.wikipedia.org/wiki/Universal_2nd_Factor -- [Julien Palard](https://mdk.fr) ___ python-committers mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/HZPN57WF77CRUZAVSJQ7XP32V6I2VBE6/ Code of Conduct: https://www.python.org/psf/codeofconduct/
[python-committers] Re: Please make sure you're following good security practices with your GitHub account
Le 6/16/21 à 10:50 AM, Antoine Pitrou a écrit : > It's as reliable as printing passwords on a piece of paper, isn't it? The password is *something you know*, so we (all?) agree: printing it is a bad idea. The 2nd factor is *something you have*, so printing them is not an issue, and having them in your wallet is fine too (and can even save the day). A U2F key as a 2nd factor is *something you have* too, it's not more nor less physical than paper in your wallet. The idea is: it's harder to steal something to know *and* something you have. -- [Julien Palard](https://mdk.fr) ___ python-committers mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/GRRZOEALYA6PZ3KXY2L5DWBIJWNZCMSK/ Code of Conduct: https://www.python.org/psf/codeofconduct/
