Hi folks,
Github recently sent an email warning of a member of the pytest-dev org
(I'm purposefully not adding identifiable information here) likely
having a compromised API token that may have been abused. The member in
question only has read access to all but one plugin repository so the
impact
Thanks Floris.
Yes, please go ahead and contact the user.
I've posted a thread about this for the Core team in the pytest-dev
Discussions, just for reference:
https://github.com/orgs/pytest-dev/teams/core/discussions/23
Cheers,
Bruno.
On Thu, Dec 8, 2022 at 10:18 AM Floris Bruynooghe wrote:
Hi folks,
Given the recent incident of suspicious activity using a stolen credential
from a pytest-dev org member, it was suggested that pytest is high-enough
profile that we should require 2FA for all members.
I'm definitely +1 on this, sending this message here in case someone wants
to voice co
Hi folks,
I intend to enable the requirement in a few hours, unless someone objects.
Cheers,
Bruno.
On Thu, Dec 8, 2022 at 1:17 PM Bruno Oliveira wrote:
> Hi folks,
>
> Given the recent incident of suspicious activity using a stolen credential
> from a pytest-dev org member, it was suggested t
I'd also be +1 on this.
Note however that the user in question did have 2FA enabled already and
indeed this doesn't help for compromised tokens. I think we can force
some limits on what tokens are allowed, I'm not entirely sure here and
on how restricting this may turn out to be for people.
Anyw
Makes sense to me.
On Thu, Dec 8, 2022 at 11:42 AM Floris Bruynooghe wrote:
> I'd also be +1 on this.
>
> Note however that the user in question did have 2FA enabled already and
> indeed this doesn't help for compromised tokens. I think we can force
> some limits on what tokens are allowed, I'm
