Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-12 Thread Alex Gaynor
They require a preference to be enabled, but yeah, Security Keys in Firefox Quantum 🎉 https://mobile.twitter.com/jamespugjones/status/91231495223226 Alex On Tue, Dec 12, 2017 at 11:21 AM, Antoine Pitrou wrote: > > If some people are inclined to push for 2FA, I think it would be more > produ

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-12 Thread Antoine Pitrou
If some people are inclined to push for 2FA, I think it would be more productive to write some kind of document giving advice and suggestions and addressing all potential issues (such as backups, cross-platform compatibility, software integration with various tools, etc.). For example I have 2FA

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-12 Thread Brett Cannon
On Tue, Dec 12, 2017, 05:07 M.-A. Lemburg, wrote: > I'm with David on this one. 2FA is good for admin accounts, but > doesn't add much protection for regular committers. Think of what > you're trying to protect against: git checkins are all audited and > can easily be undone. > But David has an

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-12 Thread Stefan Krah
On Tue, Dec 12, 2017 at 02:04:42PM +0100, Christian Heimes wrote: > If you don't the trust closed-source Yubico hardware, there is plenty of > other hardware out. https://www.nitrokey.com/ is good German engineering > with fully open-sourced hardware and software. > > Adam has compiled a nice list

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-12 Thread Christian Heimes
On 2017-12-12 02:17, Gregory P. Smith wrote: > On Mon, Dec 11, 2017 at 12:26 PM R. David Murray > wrote: > > On Mon, 11 Dec 2017 14:56:21 -0500, Donald Stufft > wrote: > > > > > On Dec 11, 2017, at 2:52 PM, R. David Murray >

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-12 Thread Paul Moore
On 12 December 2017 at 13:07, M.-A. Lemburg wrote: > I'm with David on this one. 2FA is good for admin accounts, but > doesn't add much protection for regular committers. Think of what > you're trying to protect against: git checkins are all audited and > can easily be undone. Indeed. I'd rather

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-12 Thread Antoine Pitrou
And I'm not even sure it's possible to push directly without opening a PR... All the arguments have been heard now and it would be nice if this thread could die. Le 12/12/2017 à 14:07, M.-A. Lemburg a écrit : > I'm with David on this one. 2FA is good for admin accounts, but > doesn't add much p

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-12 Thread M.-A. Lemburg
I'm with David on this one. 2FA is good for admin accounts, but doesn't add much protection for regular committers. Think of what you're trying to protect against: git checkins are all audited and can easily be undone. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from t

[python-committers] Fwd: What happens if I loose my password, 2FA key and recovery key

2017-12-12 Thread Victor Stinner
For the ones who are worried about losing all credentials for their GitHub account, here are some official answers from GitHub support. Victor -- Forwarded message -- From: Michael (GitHub Staff) Date: 2017-12-12 11:05 GMT+01:00 Subject: Re: What happens if I loose my password, 2

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-12 Thread Victor Stinner
2017-12-11 13:57 GMT+01:00 Stefan Krah : > I'm not a fan of hardware key generation. :-) > > https://en.wikipedia.org/wiki/YubiKey > > "In October 2017, security researchers found a vulnerability (known as ROCA) > in the implementation of RSA keypair generation in a cryptographic library > used b

Re: [python-committers] 2FA: only needed at the *first* GitHub login, not needed for commits

2017-12-12 Thread Stefan Krah
On Tue, Dec 12, 2017 at 10:42:56AM +0100, Victor Stinner wrote: > Let me explain how GitHub uses 2FA. > > * Let's say that you are not logged on GitHub (or log out to test yourself). > * Log in GitHub: enter email and password, then you are asked for an > "Authentication code". > * You're logged i

Re: [python-committers] Security: please enable 2-factor authentication on GitHub and your email

2017-12-12 Thread Victor Stinner
2017-12-11 17:19 GMT+01:00 Chris Jerdonek : > Why do you say this? Can't this only be true for accounts that allow > password recovery / reset via email? > > --Chris While I didn't check, but I'm quite sure that the email quickly enters into the play when you want to recover your GitHub account wh

[python-committers] 2FA: only needed at the *first* GitHub login, not needed for commits

2017-12-12 Thread Victor Stinner
Hi, On the "Security: please enable 2-factor authentication on GitHub and your email" thread that I started, I see many people afraid of being annoyed everyday by 2FA (2-factor authentication, called "Authentication code" in GitHub). Let me explain how GitHub uses 2FA. * Let's say that you are n