
Yea, making Phyllis admin would mean that GitHub enforces 2FA on the account. Relevant documentation from https://docs.github.com/en/authentication/securing-your-account-with-two-fac... (emphasis mine) Your account is selected for mandatory 2FA if you have taken some action on GitHub that shows you are a contributor. Eligible actions include: - Publishing an app or action for others. - Creating a release for your repository. - Contributing to specific high-importance repositories, such as the projects tracked by the Open Source Security Foundation <https://github.com/ossf/wg-securing-critical-projects#current-work>. - Being an administrator of a high-importance repository. - *Being an organization owner for an organization containing repositories or other users.* - Being an enterprise administrator. On Thu, May 23, 2024 at 9:24 PM William Woodruff <william@yossarian.net> wrote:
(Sorry, answering my own question: I forgot that GitHub has mandatory MFA already.)
I think as long as all PyPA org admin have a strong MFA method (meaning a security token or TOTP) then the risk is acceptable here. But I'm still happy to start/facilitate/help with a conversation between GH and thanks.dev about fixing the permissions needed here :-)
- William
On Thu, May 23, 2024 at 10:12 PM William Woodruff <william@yossarian.net> wrote:
Hey Phyllis,
I trust you completely! It's unfortunate that this integration requires admin access, however -- I don't have any objection to continuing as-is, but I'm also happy to talk with the thanks.dev owners (either directly or jointly with you) and see if this is something that can be improved on their side. I know this is me being an annoying security person, but IMO it's worth evaluating given that everything (to a first approximation) in the Python ecosystem directly or indirectly depends on the integrity of the packages under the PyPA org.
As a related question for the PyPA org admins: does the PyPA org currently have an MFA requirement? If not IMO we should consider applying one (even independently of this).
On Thu, May 23, 2024 at 5:57 PM Phyllis Dobbs <phyllis@python.org> wrote:
Hi, Bernat,
That's right. Heres' a screenshot shared of the donations PyPA had earned in thanks.dev, so you can get a sense of the level of detail. [image: Screenshot 2024-01-30 at 01.56.44.png] Thanks,
Phyllis A. Dobbs Controller Python Software Foundation
On Thu, May 23, 2024 at 10:32 AM Bernat Gabor <gaborjbernat@gmail.com> wrote:
Sounds good to me, in this case they can remain under the PSF general budget no worries. That being said then we don't actually know if those funds have been donated for pip or not as the first post implied: "PyPA where Sentry is donating funds to pip".
On Thu, May 23, 2024, 08:18 Phyllis Dobbs <phyllis@python.org> wrote:
Hi, folks,
Sorry for the delay - I was a bit busy with PyCon US.
PyPA is authorized under the PSF's thanks.dev account under my PSF account, so we'll begin monthly transfers of funds to PyPa's funds to the PSF's accounts for the project's. thanks.dev is an application that can be revoked at any time if you all prefer:
[image: image.png]
Mike, I need to have full admin rights because it is a requirement from thanks.dev to integrate as the billing manager. I promise, I won't do anything else in y'alls repos! I have similar access for Pallets right now as they were the first PSF project with thanks.dev donations. I'm pretty sure David Lord would give me a positive testimonial.
Gabor, as far as distributing funds, I believe we receive payments for all pypa pages in one lump, so it is different from Tidelift that identifies page-level income and makes it easy for the PSf to distribute funds back to individual maintainers. There are general PyPA funds that could be used for various purposes and would require a vote from the committers to release funds for a specific purpose. Would it be helpful for us to schedule a call to go over PyPA's finances?
Matthias, Jupyter and iPython are NumFOCUS' fiscal sponsorees, so the PSF can't accept funds on their behalf. But, it would be a good idea to talk to the NumFOCUS team to see if they could do a similar arrangement with Armin <http://armin@thanks.dev>from thanks.dev so more funds head to those projects.
Do you all have any other questions?
Thanks,
Phyllis A. Dobbs Controller Python Software Foundation
On Wed, May 22, 2024 at 1:41 PM Pradyun Gedam <mail@pradyunsg.me> wrote:
I agree! I've invited Phyllis as a member, and we can bump it to owner if she isn't able to get the relevant bits of access.
I'm not sure that the billing manager approach is gonna work here, but I'd say it won't hurt to make Phyllis that (if she's OK with it, which I'll wait for her to confirm to me separately, since she can't email the list without approvals). The sponsorships they're referring to is the GitHub sponsors functionality.
On Wed, 22 May 2024, 14:52 Mike, <miketheman@gmail.com> wrote:
> GitHub advertises a Billing Manager role, see more here: > > https://docs.github.com/en/organizations/managing-peoples-access-to-your-org... > > One of the listed permissions is: "Start, modify, or cancel > sponsorships" - is that what is necessary for the thanks.dev > management? > > In the spirit of what William noted, would it be worth trying that > out first, and expanding to full admin only if necessary to manage the > integration? > > -M > > On Wed, May 22, 2024 at 9:47 AM William Woodruff < > william@yossarian.net> wrote: > >> No objections in principle, but as a practical matter: is there a >> “principle of least authority” option here? In other OSS orgs I’m in we use >> fine-grained permissions to avoid giving people credentials that they don’t >> actually require (to reduce an attacker’s ability to pivot on a compromised >> account), and it’d probably be good to do the same here rather than >> providing blanket admin rights to all repos. >> >> OTOH this may not be possible from a credential/scoping >> perspective; not sure how thanks.dev works. >> >> Best, >> William >> >> Sent from mobile. Please excuse my brevity. >> >> On May 22, 2024, at 3:08 PM, Matthias Bussonnier < >> bussonniermatthias@gmail.com> wrote: >> >> >> No objections, >> >> I'm also managing thanks.dev for IPython/Jupyter, do you want me >> to enable the integration with the PyPA org ? >> (it only requires read access I believe, and I think I can only >> send a request to activate the integration, and someone else need to >> approve). >> >> I'm still a bit confused about how exactly thanks.dev works, the >> UI is a bit confusing, but my experience is that it is similar to tidelift, >> except you can forward the funds you receive to other projects – both as a >> one-time process, or recurrent. >> >> -- >> Matthias >> >> On Wed, 22 May 2024 at 14:09, Bernat Gabor <gaborjbernat@gmail.com> >> wrote: >> >>> Will PSF act here same way it does currently for tidelift? As in >>> virtualenv could also take advantage to acquire funds, that have been >>> donated? >>> >>> On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers < >>> pypa-committers@python.org> wrote: >>> >>>> Hi folks! >>>> >>>> Phyllis from the PSF reached out about being added as an admin to >>>> the pypa organisation to manage the thanks.dev integration that >>>> we have for the PyPA where Sentry is donating funds to pip. If there's any >>>> concerns with this, please let me know. If no concerns are raised by next >>>> week (Friday, 24th), I'll go ahead and do this. >>>> >>>> Best, >>>> Pradyun >>>> >>>> PS: @Phyllis Dobbs <phyllis@python.org> I did send you an invite >>>> and redacted it since I think I'll wait for folks to raise concerns before >>>> doing this. >>>> >>>> >>>> _______________________________________________ >>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>> To unsubscribe send an email to pypa-committers-leave@python.org >>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>> Member address: gaborjbernat@gmail.com >>>> >>> _______________________________________________ >>> PyPA-Committers mailing list -- pypa-committers@python.org >>> To unsubscribe send an email to pypa-committers-leave@python.org >>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>> Member address: bussonniermatthias@gmail.com >>> >> _______________________________________________ >> PyPA-Committers mailing list -- pypa-committers@python.org >> To unsubscribe send an email to pypa-committers-leave@python.org >> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >> Member address: william@yossarian.net >> >> _______________________________________________ >> PyPA-Committers mailing list -- pypa-committers@python.org >> To unsubscribe send an email to pypa-committers-leave@python.org >> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >> Member address: miketheman@gmail.com >> >