On Tue, Sep 17, 2024 at 11:29 AM Phyllis Dobbs <phyllis@python.org> wrote:
Thank you, Dustin!I pulled down $6,766 in donations made via thanks.dev for PyPa today! The two largest sources of donations are Sentry and Codecov with smaller amounts coming from Sourcegraph.Python Software FoundationControllerThanks,Phyllis A. DobbsOn Mon, Sep 16, 2024 at 3:48 PM Dustin Ingram <di@python.org> wrote:I've made Phyllis an owner of the PyPA org.On Fri, Sep 13, 2024 at 10:39 AM Dustin Ingram <di@python.org> wrote:Hi folks, unless anyone has strong objections, I'm going to go ahead and add Phyllis as an admin in the PyPA org for now, in the interest of not leaving money on the table, and follow up with the thanks.dev team to make an improvement here that would satisfy the concerns raised by William.On Mon, May 27, 2024 at 12:57 PM Sviatoslav Sydorenko <webknjaz@redhat.com> wrote:I'd like to share that it's possible to restrict who can manage thanks.dev by adding an undocumented config file at https://github.com/pypa/.thanks.dev: the filename is `THANKS.yaml` and it would contain a mapping with a key `admins:` and a value would be a sequence of strings in the format of `gh/<username>`. By default, though, they let any org owner manage the entire pool of cash (which is per-account/org, not per-project, which is annoying).On Sat, May 25, 2024 at 4:18 AM Pradyun Gedam via PyPA-Committers <pypa-committers@python.org> wrote:Yea, making Phyllis admin would mean that GitHub enforces 2FA on the account.Relevant documentation from https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/about-mandatory-two-factor-authentication#about-eligibility-for-mandatory-2fa (emphasis mine)Your account is selected for mandatory 2FA if you have taken some action on GitHub that shows you are a contributor. Eligible actions include:
- Publishing an app or action for others.
- Creating a release for your repository.
- Contributing to specific high-importance repositories, such as the projects tracked by the Open Source Security Foundation.
- Being an administrator of a high-importance repository.
- Being an organization owner for an organization containing repositories or other users.
- Being an enterprise administrator.
_______________________________________________On Thu, May 23, 2024 at 9:24 PM William Woodruff <william@yossarian.net> wrote:(Sorry, answering my own question: I forgot that GitHub has mandatory MFA already.)I think as long as all PyPA org admin have a strong MFA method (meaning a security token or TOTP) then the risk is acceptable here. But I'm still happy to start/facilitate/help with a conversation between GH and thanks.dev about fixing the permissions needed here :-)- WilliamOn Thu, May 23, 2024 at 10:12 PM William Woodruff <william@yossarian.net> wrote:Hey Phyllis,I trust you completely! It's unfortunate that this integration requires admin access, however -- I don't have any objection to continuing as-is, but I'm also happy to talk with the thanks.dev owners (either directly or jointly with you) and see if this is something that can be improved on their side. I know this is me being an annoying security person, but IMO it's worth evaluating given that everything (to a first approximation) in the Python ecosystem directly or indirectly depends on the integrity of the packages under the PyPA org.
As a related question for the PyPA org admins: does the PyPA org currently have an MFA requirement? If not IMO we should consider applying one (even independently of this).On Thu, May 23, 2024 at 5:57 PM Phyllis Dobbs <phyllis@python.org> wrote:Hi, Bernat,That's right. Heres' a screenshot shared of the donations PyPA had earned in thanks.dev, so you can get a sense of the level of detail.Python Software FoundationControllerThanks,Phyllis A. DobbsOn Thu, May 23, 2024 at 10:32 AM Bernat Gabor <gaborjbernat@gmail.com> wrote:Sounds good to me, in this case they can remain under the PSF general budget no worries. That being said then we don't actually know if those funds have been donated for pip or not as the first post implied: "PyPA where Sentry is donating funds to pip".On Thu, May 23, 2024, 08:18 Phyllis Dobbs <phyllis@python.org> wrote:Hi, folks,
Sorry for the delay - I was a bit busy with PyCon US.PyPA is authorized under the PSF's thanks.dev account under my PSF account, so we'll begin monthly transfers of funds to PyPa's funds to the PSF's accounts for the project's. thanks.dev is an application that can be revoked at any time if you all prefer:Mike, I need to have full admin rights because it is a requirement from thanks.dev to integrate as the billing manager. I promise, I won't do anything else in y'alls repos! I have similar access for Pallets right now as they were the first PSF project with thanks.dev donations. I'm pretty sure David Lord would give me a positive testimonial.Gabor, as far as distributing funds, I believe we receive payments for all pypa pages in one lump, so it is different from Tidelift that identifies page-level income and makes it easy for the PSf to distribute funds back to individual maintainers. There are general PyPA funds that could be used for various purposes and would require a vote from the committers to release funds for a specific purpose. Would it be helpful for us to schedule a call to go over PyPA's finances?Matthias, Jupyter and iPython are NumFOCUS' fiscal sponsorees, so the PSF can't accept funds on their behalf. But, it would be a good idea to talk to the NumFOCUS team to see if they could do a similar arrangement with Armin from thanks.dev so more funds head to those projects.Do you all have any other questions?Python Software FoundationControllerThanks,Phyllis A. DobbsOn Wed, May 22, 2024 at 1:41 PM Pradyun Gedam <mail@pradyunsg.me> wrote:I agree! I've invited Phyllis as a member, and we can bump it to owner if she isn't able to get the relevant bits of access.
I'm not sure that the billing manager approach is gonna work here, but I'd say it won't hurt to make Phyllis that (if she's OK with it, which I'll wait for her to confirm to me separately, since she can't email the list without approvals). The sponsorships they're referring to is the GitHub sponsors functionality.
On Wed, 22 May 2024, 14:52 Mike, <miketheman@gmail.com> wrote:GitHub advertises a Billing Manager role, see more here:One of the listed permissions is: "Start, modify, or cancel sponsorships" - is that what is necessary for the thanks.dev management?In the spirit of what William noted, would it be worth trying that out first, and expanding to full admin only if necessary to manage the integration?-MOn Wed, May 22, 2024 at 9:47 AM William Woodruff <william@yossarian.net> wrote:No objections in principle, but as a practical matter: is there a “principle of least authority” option here? In other OSS orgs I’m in we use fine-grained permissions to avoid giving people credentials that they don’t actually require (to reduce an attacker’s ability to pivot on a compromised account), and it’d probably be good to do the same here rather than providing blanket admin rights to all repos._______________________________________________OTOH this may not be possible from a credential/scoping perspective; not sure how thanks.dev works.Best,WilliamSent from mobile. Please excuse my brevity.On May 22, 2024, at 3:08 PM, Matthias Bussonnier <bussonniermatthias@gmail.com> wrote:No objections,I'm also managing thanks.dev for IPython/Jupyter, do you want me to enable the integration with the PyPA org ?(it only requires read access I believe, and I think I can only send a request to activate the integration, and someone else need to approve).I'm still a bit confused about how exactly thanks.dev works, the UI is a bit confusing, but my experience is that it is similar to tidelift, except you can forward the funds you receive to other projects – both as a one-time process, or recurrent.--Matthias_______________________________________________On Wed, 22 May 2024 at 14:09, Bernat Gabor <gaborjbernat@gmail.com> wrote:Will PSF act here same way it does currently for tidelift? As in virtualenv could also take advantage to acquire funds, that have been donated?_______________________________________________On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers <pypa-committers@python.org> wrote:_______________________________________________Hi folks!Phyllis from the PSF reached out about being added as an admin to the pypa organisation to manage the thanks.dev integration that we have for the PyPA where Sentry is donating funds to pip. If there's any concerns with this, please let me know. If no concerns are raised by next week (Friday, 24th), I'll go ahead and do this.Best,PradyunPS: @Phyllis Dobbs I did send you an invite and redacted it since I think I'll wait for folks to raise concerns before doing this.
PyPA-Committers mailing list -- pypa-committers@python.org
To unsubscribe send an email to pypa-committers-leave@python.org
https://mail.python.org/mailman3/lists/pypa-committers.python.org/
Member address: gaborjbernat@gmail.com
PyPA-Committers mailing list -- pypa-committers@python.org
To unsubscribe send an email to pypa-committers-leave@python.org
https://mail.python.org/mailman3/lists/pypa-committers.python.org/
Member address: bussonniermatthias@gmail.com
PyPA-Committers mailing list -- pypa-committers@python.org
To unsubscribe send an email to pypa-committers-leave@python.org
https://mail.python.org/mailman3/lists/pypa-committers.python.org/
Member address: william@yossarian.net
PyPA-Committers mailing list -- pypa-committers@python.org
To unsubscribe send an email to pypa-committers-leave@python.org
https://mail.python.org/mailman3/lists/pypa-committers.python.org/
Member address: miketheman@gmail.com
PyPA-Committers mailing list -- pypa-committers@python.org
To unsubscribe send an email to pypa-committers-leave@python.org
https://mail.python.org/mailman3/lists/pypa-committers.python.org/
Member address: webknjaz@redhat.com
--Warm regards,_______________________________________________
Sviatoslav Sydorenko
Software Hacker @ Ansible Core
---
https://useplaintext.email/
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
---
PyPA-Committers mailing list -- pypa-committers@python.org
To unsubscribe send an email to pypa-committers-leave@python.org
https://mail.python.org/mailman3/lists/pypa-committers.python.org/
Member address: di@python.org