I'd like to invite PhyllisDobbs as an admin on the PyPA organisation
Hi folks! Phyllis from the PSF reached out about being added as an admin to the pypa organisation to manage the thanks.dev integration that we have for the PyPA where Sentry is donating funds to pip. If there's any concerns with this, please let me know. If no concerns are raised by next week (Friday, 24th), I'll go ahead and do this. Best, Pradyun PS: @Phyllis Dobbs <phyllis@python.org> I did send you an invite and redacted it since I think I'll wait for folks to raise concerns before doing this.
Will PSF act here same way it does currently for tidelift? As in virtualenv could also take advantage to acquire funds, that have been donated? On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers < pypa-committers@python.org> wrote:
Hi folks!
Phyllis from the PSF reached out about being added as an admin to the pypa organisation to manage the thanks.dev integration that we have for the PyPA where Sentry is donating funds to pip. If there's any concerns with this, please let me know. If no concerns are raised by next week (Friday, 24th), I'll go ahead and do this.
Best, Pradyun
PS: @Phyllis Dobbs <phyllis@python.org> I did send you an invite and redacted it since I think I'll wait for folks to raise concerns before doing this.
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: gaborjbernat@gmail.com
No objections, I'm also managing thanks.dev for IPython/Jupyter, do you want me to enable the integration with the PyPA org ? (it only requires read access I believe, and I think I can only send a request to activate the integration, and someone else need to approve). I'm still a bit confused about how exactly thanks.dev works, the UI is a bit confusing, but my experience is that it is similar to tidelift, except you can forward the funds you receive to other projects – both as a one-time process, or recurrent. -- Matthias On Wed, 22 May 2024 at 14:09, Bernat Gabor <gaborjbernat@gmail.com> wrote:
Will PSF act here same way it does currently for tidelift? As in virtualenv could also take advantage to acquire funds, that have been donated?
On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers < pypa-committers@python.org> wrote:
Hi folks!
Phyllis from the PSF reached out about being added as an admin to the pypa organisation to manage the thanks.dev integration that we have for the PyPA where Sentry is donating funds to pip. If there's any concerns with this, please let me know. If no concerns are raised by next week (Friday, 24th), I'll go ahead and do this.
Best, Pradyun
PS: @Phyllis Dobbs <phyllis@python.org> I did send you an invite and redacted it since I think I'll wait for folks to raise concerns before doing this.
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: gaborjbernat@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: bussonniermatthias@gmail.com
GitHub advertises a Billing Manager role, see more here: https://docs.github.com/en/organizations/managing-peoples-access-to-your-org... One of the listed permissions is: "Start, modify, or cancel sponsorships" - is that what is necessary for the thanks.dev management? In the spirit of what William noted, would it be worth trying that out first, and expanding to full admin only if necessary to manage the integration? -M On Wed, May 22, 2024 at 9:47 AM William Woodruff <william@yossarian.net> wrote:
No objections in principle, but as a practical matter: is there a “principle of least authority” option here? In other OSS orgs I’m in we use fine-grained permissions to avoid giving people credentials that they don’t actually require (to reduce an attacker’s ability to pivot on a compromised account), and it’d probably be good to do the same here rather than providing blanket admin rights to all repos.
OTOH this may not be possible from a credential/scoping perspective; not sure how thanks.dev works.
Best, William
Sent from mobile. Please excuse my brevity.
On May 22, 2024, at 3:08 PM, Matthias Bussonnier < bussonniermatthias@gmail.com> wrote:
No objections,
I'm also managing thanks.dev for IPython/Jupyter, do you want me to enable the integration with the PyPA org ? (it only requires read access I believe, and I think I can only send a request to activate the integration, and someone else need to approve).
I'm still a bit confused about how exactly thanks.dev works, the UI is a bit confusing, but my experience is that it is similar to tidelift, except you can forward the funds you receive to other projects – both as a one-time process, or recurrent.
-- Matthias
On Wed, 22 May 2024 at 14:09, Bernat Gabor <gaborjbernat@gmail.com> wrote:
Will PSF act here same way it does currently for tidelift? As in virtualenv could also take advantage to acquire funds, that have been donated?
On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers < pypa-committers@python.org> wrote:
Hi folks!
Phyllis from the PSF reached out about being added as an admin to the pypa organisation to manage the thanks.dev integration that we have for the PyPA where Sentry is donating funds to pip. If there's any concerns with this, please let me know. If no concerns are raised by next week (Friday, 24th), I'll go ahead and do this.
Best, Pradyun
PS: @Phyllis Dobbs <phyllis@python.org> I did send you an invite and redacted it since I think I'll wait for folks to raise concerns before doing this.
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: gaborjbernat@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: bussonniermatthias@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: william@yossarian.net
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: miketheman@gmail.com
I agree! I've invited Phyllis as a member, and we can bump it to owner if she isn't able to get the relevant bits of access. I'm not sure that the billing manager approach is gonna work here, but I'd say it won't hurt to make Phyllis that (if she's OK with it, which I'll wait for her to confirm to me separately, since she can't email the list without approvals). The sponsorships they're referring to is the GitHub sponsors functionality. On Wed, 22 May 2024, 14:52 Mike, <miketheman@gmail.com> wrote:
GitHub advertises a Billing Manager role, see more here:
https://docs.github.com/en/organizations/managing-peoples-access-to-your-org...
One of the listed permissions is: "Start, modify, or cancel sponsorships" - is that what is necessary for the thanks.dev management?
In the spirit of what William noted, would it be worth trying that out first, and expanding to full admin only if necessary to manage the integration?
-M
On Wed, May 22, 2024 at 9:47 AM William Woodruff <william@yossarian.net> wrote:
No objections in principle, but as a practical matter: is there a “principle of least authority” option here? In other OSS orgs I’m in we use fine-grained permissions to avoid giving people credentials that they don’t actually require (to reduce an attacker’s ability to pivot on a compromised account), and it’d probably be good to do the same here rather than providing blanket admin rights to all repos.
OTOH this may not be possible from a credential/scoping perspective; not sure how thanks.dev works.
Best, William
Sent from mobile. Please excuse my brevity.
On May 22, 2024, at 3:08 PM, Matthias Bussonnier < bussonniermatthias@gmail.com> wrote:
No objections,
I'm also managing thanks.dev for IPython/Jupyter, do you want me to enable the integration with the PyPA org ? (it only requires read access I believe, and I think I can only send a request to activate the integration, and someone else need to approve).
I'm still a bit confused about how exactly thanks.dev works, the UI is a bit confusing, but my experience is that it is similar to tidelift, except you can forward the funds you receive to other projects – both as a one-time process, or recurrent.
-- Matthias
On Wed, 22 May 2024 at 14:09, Bernat Gabor <gaborjbernat@gmail.com> wrote:
Will PSF act here same way it does currently for tidelift? As in virtualenv could also take advantage to acquire funds, that have been donated?
On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers < pypa-committers@python.org> wrote:
Hi folks!
Phyllis from the PSF reached out about being added as an admin to the pypa organisation to manage the thanks.dev integration that we have for the PyPA where Sentry is donating funds to pip. If there's any concerns with this, please let me know. If no concerns are raised by next week (Friday, 24th), I'll go ahead and do this.
Best, Pradyun
PS: @Phyllis Dobbs <phyllis@python.org> I did send you an invite and redacted it since I think I'll wait for folks to raise concerns before doing this.
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: gaborjbernat@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: bussonniermatthias@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: william@yossarian.net
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: miketheman@gmail.com
Hi, folks, Sorry for the delay - I was a bit busy with PyCon US. PyPA is authorized under the PSF's thanks.dev account under my PSF account, so we'll begin monthly transfers of funds to PyPa's funds to the PSF's accounts for the project's. thanks.dev is an application that can be revoked at any time if you all prefer: [image: image.png] Mike, I need to have full admin rights because it is a requirement from thanks.dev to integrate as the billing manager. I promise, I won't do anything else in y'alls repos! I have similar access for Pallets right now as they were the first PSF project with thanks.dev donations. I'm pretty sure David Lord would give me a positive testimonial. Gabor, as far as distributing funds, I believe we receive payments for all pypa pages in one lump, so it is different from Tidelift that identifies page-level income and makes it easy for the PSf to distribute funds back to individual maintainers. There are general PyPA funds that could be used for various purposes and would require a vote from the committers to release funds for a specific purpose. Would it be helpful for us to schedule a call to go over PyPA's finances? Matthias, Jupyter and iPython are NumFOCUS' fiscal sponsorees, so the PSF can't accept funds on their behalf. But, it would be a good idea to talk to the NumFOCUS team to see if they could do a similar arrangement with Armin <http://armin@thanks.dev>from thanks.dev so more funds head to those projects. Do you all have any other questions? Thanks, Phyllis A. Dobbs Controller Python Software Foundation On Wed, May 22, 2024 at 1:41 PM Pradyun Gedam <mail@pradyunsg.me> wrote:
I agree! I've invited Phyllis as a member, and we can bump it to owner if she isn't able to get the relevant bits of access.
I'm not sure that the billing manager approach is gonna work here, but I'd say it won't hurt to make Phyllis that (if she's OK with it, which I'll wait for her to confirm to me separately, since she can't email the list without approvals). The sponsorships they're referring to is the GitHub sponsors functionality.
On Wed, 22 May 2024, 14:52 Mike, <miketheman@gmail.com> wrote:
GitHub advertises a Billing Manager role, see more here:
https://docs.github.com/en/organizations/managing-peoples-access-to-your-org...
One of the listed permissions is: "Start, modify, or cancel sponsorships" - is that what is necessary for the thanks.dev management?
In the spirit of what William noted, would it be worth trying that out first, and expanding to full admin only if necessary to manage the integration?
-M
On Wed, May 22, 2024 at 9:47 AM William Woodruff <william@yossarian.net> wrote:
No objections in principle, but as a practical matter: is there a “principle of least authority” option here? In other OSS orgs I’m in we use fine-grained permissions to avoid giving people credentials that they don’t actually require (to reduce an attacker’s ability to pivot on a compromised account), and it’d probably be good to do the same here rather than providing blanket admin rights to all repos.
OTOH this may not be possible from a credential/scoping perspective; not sure how thanks.dev works.
Best, William
Sent from mobile. Please excuse my brevity.
On May 22, 2024, at 3:08 PM, Matthias Bussonnier < bussonniermatthias@gmail.com> wrote:
No objections,
I'm also managing thanks.dev for IPython/Jupyter, do you want me to enable the integration with the PyPA org ? (it only requires read access I believe, and I think I can only send a request to activate the integration, and someone else need to approve).
I'm still a bit confused about how exactly thanks.dev works, the UI is a bit confusing, but my experience is that it is similar to tidelift, except you can forward the funds you receive to other projects – both as a one-time process, or recurrent.
-- Matthias
On Wed, 22 May 2024 at 14:09, Bernat Gabor <gaborjbernat@gmail.com> wrote:
Will PSF act here same way it does currently for tidelift? As in virtualenv could also take advantage to acquire funds, that have been donated?
On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers < pypa-committers@python.org> wrote:
Hi folks!
Phyllis from the PSF reached out about being added as an admin to the pypa organisation to manage the thanks.dev integration that we have for the PyPA where Sentry is donating funds to pip. If there's any concerns with this, please let me know. If no concerns are raised by next week (Friday, 24th), I'll go ahead and do this.
Best, Pradyun
PS: @Phyllis Dobbs <phyllis@python.org> I did send you an invite and redacted it since I think I'll wait for folks to raise concerns before doing this.
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: gaborjbernat@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: bussonniermatthias@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: william@yossarian.net
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: miketheman@gmail.com
Sounds good to me, in this case they can remain under the PSF general budget no worries. That being said then we don't actually know if those funds have been donated for pip or not as the first post implied: "PyPA where Sentry is donating funds to pip". On Thu, May 23, 2024, 08:18 Phyllis Dobbs <phyllis@python.org> wrote:
Hi, folks,
Sorry for the delay - I was a bit busy with PyCon US.
PyPA is authorized under the PSF's thanks.dev account under my PSF account, so we'll begin monthly transfers of funds to PyPa's funds to the PSF's accounts for the project's. thanks.dev is an application that can be revoked at any time if you all prefer:
[image: image.png]
Mike, I need to have full admin rights because it is a requirement from thanks.dev to integrate as the billing manager. I promise, I won't do anything else in y'alls repos! I have similar access for Pallets right now as they were the first PSF project with thanks.dev donations. I'm pretty sure David Lord would give me a positive testimonial.
Gabor, as far as distributing funds, I believe we receive payments for all pypa pages in one lump, so it is different from Tidelift that identifies page-level income and makes it easy for the PSf to distribute funds back to individual maintainers. There are general PyPA funds that could be used for various purposes and would require a vote from the committers to release funds for a specific purpose. Would it be helpful for us to schedule a call to go over PyPA's finances?
Matthias, Jupyter and iPython are NumFOCUS' fiscal sponsorees, so the PSF can't accept funds on their behalf. But, it would be a good idea to talk to the NumFOCUS team to see if they could do a similar arrangement with Armin <http://armin@thanks.dev>from thanks.dev so more funds head to those projects.
Do you all have any other questions?
Thanks,
Phyllis A. Dobbs Controller Python Software Foundation
On Wed, May 22, 2024 at 1:41 PM Pradyun Gedam <mail@pradyunsg.me> wrote:
I agree! I've invited Phyllis as a member, and we can bump it to owner if she isn't able to get the relevant bits of access.
I'm not sure that the billing manager approach is gonna work here, but I'd say it won't hurt to make Phyllis that (if she's OK with it, which I'll wait for her to confirm to me separately, since she can't email the list without approvals). The sponsorships they're referring to is the GitHub sponsors functionality.
On Wed, 22 May 2024, 14:52 Mike, <miketheman@gmail.com> wrote:
GitHub advertises a Billing Manager role, see more here:
https://docs.github.com/en/organizations/managing-peoples-access-to-your-org...
One of the listed permissions is: "Start, modify, or cancel sponsorships" - is that what is necessary for the thanks.dev management?
In the spirit of what William noted, would it be worth trying that out first, and expanding to full admin only if necessary to manage the integration?
-M
On Wed, May 22, 2024 at 9:47 AM William Woodruff <william@yossarian.net> wrote:
No objections in principle, but as a practical matter: is there a “principle of least authority” option here? In other OSS orgs I’m in we use fine-grained permissions to avoid giving people credentials that they don’t actually require (to reduce an attacker’s ability to pivot on a compromised account), and it’d probably be good to do the same here rather than providing blanket admin rights to all repos.
OTOH this may not be possible from a credential/scoping perspective; not sure how thanks.dev works.
Best, William
Sent from mobile. Please excuse my brevity.
On May 22, 2024, at 3:08 PM, Matthias Bussonnier < bussonniermatthias@gmail.com> wrote:
No objections,
I'm also managing thanks.dev for IPython/Jupyter, do you want me to enable the integration with the PyPA org ? (it only requires read access I believe, and I think I can only send a request to activate the integration, and someone else need to approve).
I'm still a bit confused about how exactly thanks.dev works, the UI is a bit confusing, but my experience is that it is similar to tidelift, except you can forward the funds you receive to other projects – both as a one-time process, or recurrent.
-- Matthias
On Wed, 22 May 2024 at 14:09, Bernat Gabor <gaborjbernat@gmail.com> wrote:
Will PSF act here same way it does currently for tidelift? As in virtualenv could also take advantage to acquire funds, that have been donated?
On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers < pypa-committers@python.org> wrote:
Hi folks!
Phyllis from the PSF reached out about being added as an admin to the pypa organisation to manage the thanks.dev integration that we have for the PyPA where Sentry is donating funds to pip. If there's any concerns with this, please let me know. If no concerns are raised by next week (Friday, 24th), I'll go ahead and do this.
Best, Pradyun
PS: @Phyllis Dobbs <phyllis@python.org> I did send you an invite and redacted it since I think I'll wait for folks to raise concerns before doing this.
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: gaborjbernat@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: bussonniermatthias@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: william@yossarian.net
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: miketheman@gmail.com
Hi, Bernat, That's right. Heres' a screenshot shared of the donations PyPA had earned in thanks.dev, so you can get a sense of the level of detail. [image: Screenshot 2024-01-30 at 01.56.44.png] Thanks, Phyllis A. Dobbs Controller Python Software Foundation On Thu, May 23, 2024 at 10:32 AM Bernat Gabor <gaborjbernat@gmail.com> wrote:
Sounds good to me, in this case they can remain under the PSF general budget no worries. That being said then we don't actually know if those funds have been donated for pip or not as the first post implied: "PyPA where Sentry is donating funds to pip".
On Thu, May 23, 2024, 08:18 Phyllis Dobbs <phyllis@python.org> wrote:
Hi, folks,
Sorry for the delay - I was a bit busy with PyCon US.
PyPA is authorized under the PSF's thanks.dev account under my PSF account, so we'll begin monthly transfers of funds to PyPa's funds to the PSF's accounts for the project's. thanks.dev is an application that can be revoked at any time if you all prefer:
[image: image.png]
Mike, I need to have full admin rights because it is a requirement from thanks.dev to integrate as the billing manager. I promise, I won't do anything else in y'alls repos! I have similar access for Pallets right now as they were the first PSF project with thanks.dev donations. I'm pretty sure David Lord would give me a positive testimonial.
Gabor, as far as distributing funds, I believe we receive payments for all pypa pages in one lump, so it is different from Tidelift that identifies page-level income and makes it easy for the PSf to distribute funds back to individual maintainers. There are general PyPA funds that could be used for various purposes and would require a vote from the committers to release funds for a specific purpose. Would it be helpful for us to schedule a call to go over PyPA's finances?
Matthias, Jupyter and iPython are NumFOCUS' fiscal sponsorees, so the PSF can't accept funds on their behalf. But, it would be a good idea to talk to the NumFOCUS team to see if they could do a similar arrangement with Armin <http://armin@thanks.dev>from thanks.dev so more funds head to those projects.
Do you all have any other questions?
Thanks,
Phyllis A. Dobbs Controller Python Software Foundation
On Wed, May 22, 2024 at 1:41 PM Pradyun Gedam <mail@pradyunsg.me> wrote:
I agree! I've invited Phyllis as a member, and we can bump it to owner if she isn't able to get the relevant bits of access.
I'm not sure that the billing manager approach is gonna work here, but I'd say it won't hurt to make Phyllis that (if she's OK with it, which I'll wait for her to confirm to me separately, since she can't email the list without approvals). The sponsorships they're referring to is the GitHub sponsors functionality.
On Wed, 22 May 2024, 14:52 Mike, <miketheman@gmail.com> wrote:
GitHub advertises a Billing Manager role, see more here:
https://docs.github.com/en/organizations/managing-peoples-access-to-your-org...
One of the listed permissions is: "Start, modify, or cancel sponsorships" - is that what is necessary for the thanks.dev management?
In the spirit of what William noted, would it be worth trying that out first, and expanding to full admin only if necessary to manage the integration?
-M
On Wed, May 22, 2024 at 9:47 AM William Woodruff <william@yossarian.net> wrote:
No objections in principle, but as a practical matter: is there a “principle of least authority” option here? In other OSS orgs I’m in we use fine-grained permissions to avoid giving people credentials that they don’t actually require (to reduce an attacker’s ability to pivot on a compromised account), and it’d probably be good to do the same here rather than providing blanket admin rights to all repos.
OTOH this may not be possible from a credential/scoping perspective; not sure how thanks.dev works.
Best, William
Sent from mobile. Please excuse my brevity.
On May 22, 2024, at 3:08 PM, Matthias Bussonnier < bussonniermatthias@gmail.com> wrote:
No objections,
I'm also managing thanks.dev for IPython/Jupyter, do you want me to enable the integration with the PyPA org ? (it only requires read access I believe, and I think I can only send a request to activate the integration, and someone else need to approve).
I'm still a bit confused about how exactly thanks.dev works, the UI is a bit confusing, but my experience is that it is similar to tidelift, except you can forward the funds you receive to other projects – both as a one-time process, or recurrent.
-- Matthias
On Wed, 22 May 2024 at 14:09, Bernat Gabor <gaborjbernat@gmail.com> wrote:
Will PSF act here same way it does currently for tidelift? As in virtualenv could also take advantage to acquire funds, that have been donated?
On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers < pypa-committers@python.org> wrote:
> Hi folks! > > Phyllis from the PSF reached out about being added as an admin to > the pypa organisation to manage the thanks.dev integration that we > have for the PyPA where Sentry is donating funds to pip. If there's any > concerns with this, please let me know. If no concerns are raised by next > week (Friday, 24th), I'll go ahead and do this. > > Best, > Pradyun > > PS: @Phyllis Dobbs <phyllis@python.org> I did send you an invite > and redacted it since I think I'll wait for folks to raise concerns before > doing this. > > > _______________________________________________ > PyPA-Committers mailing list -- pypa-committers@python.org > To unsubscribe send an email to pypa-committers-leave@python.org > https://mail.python.org/mailman3/lists/pypa-committers.python.org/ > Member address: gaborjbernat@gmail.com > _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: bussonniermatthias@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: william@yossarian.net
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: miketheman@gmail.com
Hey Phyllis, I trust you completely! It's unfortunate that this integration requires admin access, however -- I don't have any objection to continuing as-is, but I'm also happy to talk with the thanks.dev owners (either directly or jointly with you) and see if this is something that can be improved on their side. I know this is me being an annoying security person, but IMO it's worth evaluating given that everything (to a first approximation) in the Python ecosystem directly or indirectly depends on the integrity of the packages under the PyPA org. As a related question for the PyPA org admins: does the PyPA org currently have an MFA requirement? If not IMO we should consider applying one (even independently of this). On Thu, May 23, 2024 at 5:57 PM Phyllis Dobbs <phyllis@python.org> wrote:
Hi, Bernat,
That's right. Heres' a screenshot shared of the donations PyPA had earned in thanks.dev, so you can get a sense of the level of detail. [image: Screenshot 2024-01-30 at 01.56.44.png] Thanks,
Phyllis A. Dobbs Controller Python Software Foundation
On Thu, May 23, 2024 at 10:32 AM Bernat Gabor <gaborjbernat@gmail.com> wrote:
Sounds good to me, in this case they can remain under the PSF general budget no worries. That being said then we don't actually know if those funds have been donated for pip or not as the first post implied: "PyPA where Sentry is donating funds to pip".
On Thu, May 23, 2024, 08:18 Phyllis Dobbs <phyllis@python.org> wrote:
Hi, folks,
Sorry for the delay - I was a bit busy with PyCon US.
PyPA is authorized under the PSF's thanks.dev account under my PSF account, so we'll begin monthly transfers of funds to PyPa's funds to the PSF's accounts for the project's. thanks.dev is an application that can be revoked at any time if you all prefer:
[image: image.png]
Mike, I need to have full admin rights because it is a requirement from thanks.dev to integrate as the billing manager. I promise, I won't do anything else in y'alls repos! I have similar access for Pallets right now as they were the first PSF project with thanks.dev donations. I'm pretty sure David Lord would give me a positive testimonial.
Gabor, as far as distributing funds, I believe we receive payments for all pypa pages in one lump, so it is different from Tidelift that identifies page-level income and makes it easy for the PSf to distribute funds back to individual maintainers. There are general PyPA funds that could be used for various purposes and would require a vote from the committers to release funds for a specific purpose. Would it be helpful for us to schedule a call to go over PyPA's finances?
Matthias, Jupyter and iPython are NumFOCUS' fiscal sponsorees, so the PSF can't accept funds on their behalf. But, it would be a good idea to talk to the NumFOCUS team to see if they could do a similar arrangement with Armin <http://armin@thanks.dev>from thanks.dev so more funds head to those projects.
Do you all have any other questions?
Thanks,
Phyllis A. Dobbs Controller Python Software Foundation
On Wed, May 22, 2024 at 1:41 PM Pradyun Gedam <mail@pradyunsg.me> wrote:
I agree! I've invited Phyllis as a member, and we can bump it to owner if she isn't able to get the relevant bits of access.
I'm not sure that the billing manager approach is gonna work here, but I'd say it won't hurt to make Phyllis that (if she's OK with it, which I'll wait for her to confirm to me separately, since she can't email the list without approvals). The sponsorships they're referring to is the GitHub sponsors functionality.
On Wed, 22 May 2024, 14:52 Mike, <miketheman@gmail.com> wrote:
GitHub advertises a Billing Manager role, see more here:
https://docs.github.com/en/organizations/managing-peoples-access-to-your-org...
One of the listed permissions is: "Start, modify, or cancel sponsorships" - is that what is necessary for the thanks.dev management?
In the spirit of what William noted, would it be worth trying that out first, and expanding to full admin only if necessary to manage the integration?
-M
On Wed, May 22, 2024 at 9:47 AM William Woodruff < william@yossarian.net> wrote:
No objections in principle, but as a practical matter: is there a “principle of least authority” option here? In other OSS orgs I’m in we use fine-grained permissions to avoid giving people credentials that they don’t actually require (to reduce an attacker’s ability to pivot on a compromised account), and it’d probably be good to do the same here rather than providing blanket admin rights to all repos.
OTOH this may not be possible from a credential/scoping perspective; not sure how thanks.dev works.
Best, William
Sent from mobile. Please excuse my brevity.
On May 22, 2024, at 3:08 PM, Matthias Bussonnier < bussonniermatthias@gmail.com> wrote:
No objections,
I'm also managing thanks.dev for IPython/Jupyter, do you want me to enable the integration with the PyPA org ? (it only requires read access I believe, and I think I can only send a request to activate the integration, and someone else need to approve).
I'm still a bit confused about how exactly thanks.dev works, the UI is a bit confusing, but my experience is that it is similar to tidelift, except you can forward the funds you receive to other projects – both as a one-time process, or recurrent.
-- Matthias
On Wed, 22 May 2024 at 14:09, Bernat Gabor <gaborjbernat@gmail.com> wrote:
> Will PSF act here same way it does currently for tidelift? As in > virtualenv could also take advantage to acquire funds, that have been > donated? > > On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers < > pypa-committers@python.org> wrote: > >> Hi folks! >> >> Phyllis from the PSF reached out about being added as an admin to >> the pypa organisation to manage the thanks.dev integration that we >> have for the PyPA where Sentry is donating funds to pip. If there's any >> concerns with this, please let me know. If no concerns are raised by next >> week (Friday, 24th), I'll go ahead and do this. >> >> Best, >> Pradyun >> >> PS: @Phyllis Dobbs <phyllis@python.org> I did send you an invite >> and redacted it since I think I'll wait for folks to raise concerns before >> doing this. >> >> >> _______________________________________________ >> PyPA-Committers mailing list -- pypa-committers@python.org >> To unsubscribe send an email to pypa-committers-leave@python.org >> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >> Member address: gaborjbernat@gmail.com >> > _______________________________________________ > PyPA-Committers mailing list -- pypa-committers@python.org > To unsubscribe send an email to pypa-committers-leave@python.org > https://mail.python.org/mailman3/lists/pypa-committers.python.org/ > Member address: bussonniermatthias@gmail.com > _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: william@yossarian.net
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: miketheman@gmail.com
(Sorry, answering my own question: I forgot that GitHub has mandatory MFA already.) I think as long as all PyPA org admin have a strong MFA method (meaning a security token or TOTP) then the risk is acceptable here. But I'm still happy to start/facilitate/help with a conversation between GH and thanks.dev about fixing the permissions needed here :-) - William On Thu, May 23, 2024 at 10:12 PM William Woodruff <william@yossarian.net> wrote:
Hey Phyllis,
I trust you completely! It's unfortunate that this integration requires admin access, however -- I don't have any objection to continuing as-is, but I'm also happy to talk with the thanks.dev owners (either directly or jointly with you) and see if this is something that can be improved on their side. I know this is me being an annoying security person, but IMO it's worth evaluating given that everything (to a first approximation) in the Python ecosystem directly or indirectly depends on the integrity of the packages under the PyPA org.
As a related question for the PyPA org admins: does the PyPA org currently have an MFA requirement? If not IMO we should consider applying one (even independently of this).
On Thu, May 23, 2024 at 5:57 PM Phyllis Dobbs <phyllis@python.org> wrote:
Hi, Bernat,
That's right. Heres' a screenshot shared of the donations PyPA had earned in thanks.dev, so you can get a sense of the level of detail. [image: Screenshot 2024-01-30 at 01.56.44.png] Thanks,
Phyllis A. Dobbs Controller Python Software Foundation
On Thu, May 23, 2024 at 10:32 AM Bernat Gabor <gaborjbernat@gmail.com> wrote:
Sounds good to me, in this case they can remain under the PSF general budget no worries. That being said then we don't actually know if those funds have been donated for pip or not as the first post implied: "PyPA where Sentry is donating funds to pip".
On Thu, May 23, 2024, 08:18 Phyllis Dobbs <phyllis@python.org> wrote:
Hi, folks,
Sorry for the delay - I was a bit busy with PyCon US.
PyPA is authorized under the PSF's thanks.dev account under my PSF account, so we'll begin monthly transfers of funds to PyPa's funds to the PSF's accounts for the project's. thanks.dev is an application that can be revoked at any time if you all prefer:
[image: image.png]
Mike, I need to have full admin rights because it is a requirement from thanks.dev to integrate as the billing manager. I promise, I won't do anything else in y'alls repos! I have similar access for Pallets right now as they were the first PSF project with thanks.dev donations. I'm pretty sure David Lord would give me a positive testimonial.
Gabor, as far as distributing funds, I believe we receive payments for all pypa pages in one lump, so it is different from Tidelift that identifies page-level income and makes it easy for the PSf to distribute funds back to individual maintainers. There are general PyPA funds that could be used for various purposes and would require a vote from the committers to release funds for a specific purpose. Would it be helpful for us to schedule a call to go over PyPA's finances?
Matthias, Jupyter and iPython are NumFOCUS' fiscal sponsorees, so the PSF can't accept funds on their behalf. But, it would be a good idea to talk to the NumFOCUS team to see if they could do a similar arrangement with Armin <http://armin@thanks.dev>from thanks.dev so more funds head to those projects.
Do you all have any other questions?
Thanks,
Phyllis A. Dobbs Controller Python Software Foundation
On Wed, May 22, 2024 at 1:41 PM Pradyun Gedam <mail@pradyunsg.me> wrote:
I agree! I've invited Phyllis as a member, and we can bump it to owner if she isn't able to get the relevant bits of access.
I'm not sure that the billing manager approach is gonna work here, but I'd say it won't hurt to make Phyllis that (if she's OK with it, which I'll wait for her to confirm to me separately, since she can't email the list without approvals). The sponsorships they're referring to is the GitHub sponsors functionality.
On Wed, 22 May 2024, 14:52 Mike, <miketheman@gmail.com> wrote:
GitHub advertises a Billing Manager role, see more here:
https://docs.github.com/en/organizations/managing-peoples-access-to-your-org...
One of the listed permissions is: "Start, modify, or cancel sponsorships" - is that what is necessary for the thanks.dev management?
In the spirit of what William noted, would it be worth trying that out first, and expanding to full admin only if necessary to manage the integration?
-M
On Wed, May 22, 2024 at 9:47 AM William Woodruff < william@yossarian.net> wrote:
> No objections in principle, but as a practical matter: is there a > “principle of least authority” option here? In other OSS orgs I’m in we use > fine-grained permissions to avoid giving people credentials that they don’t > actually require (to reduce an attacker’s ability to pivot on a compromised > account), and it’d probably be good to do the same here rather than > providing blanket admin rights to all repos. > > OTOH this may not be possible from a credential/scoping perspective; > not sure how thanks.dev works. > > Best, > William > > Sent from mobile. Please excuse my brevity. > > On May 22, 2024, at 3:08 PM, Matthias Bussonnier < > bussonniermatthias@gmail.com> wrote: > > > No objections, > > I'm also managing thanks.dev for IPython/Jupyter, do you want me to > enable the integration with the PyPA org ? > (it only requires read access I believe, and I think I can only send > a request to activate the integration, and someone else need to approve). > > I'm still a bit confused about how exactly thanks.dev works, the UI > is a bit confusing, but my experience is that it is similar to tidelift, > except you can forward the funds you receive to other projects – both as a > one-time process, or recurrent. > > -- > Matthias > > On Wed, 22 May 2024 at 14:09, Bernat Gabor <gaborjbernat@gmail.com> > wrote: > >> Will PSF act here same way it does currently for tidelift? As in >> virtualenv could also take advantage to acquire funds, that have been >> donated? >> >> On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers < >> pypa-committers@python.org> wrote: >> >>> Hi folks! >>> >>> Phyllis from the PSF reached out about being added as an admin to >>> the pypa organisation to manage the thanks.dev integration that >>> we have for the PyPA where Sentry is donating funds to pip. If there's any >>> concerns with this, please let me know. If no concerns are raised by next >>> week (Friday, 24th), I'll go ahead and do this. >>> >>> Best, >>> Pradyun >>> >>> PS: @Phyllis Dobbs <phyllis@python.org> I did send you an invite >>> and redacted it since I think I'll wait for folks to raise concerns before >>> doing this. >>> >>> >>> _______________________________________________ >>> PyPA-Committers mailing list -- pypa-committers@python.org >>> To unsubscribe send an email to pypa-committers-leave@python.org >>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>> Member address: gaborjbernat@gmail.com >>> >> _______________________________________________ >> PyPA-Committers mailing list -- pypa-committers@python.org >> To unsubscribe send an email to pypa-committers-leave@python.org >> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >> Member address: bussonniermatthias@gmail.com >> > _______________________________________________ > PyPA-Committers mailing list -- pypa-committers@python.org > To unsubscribe send an email to pypa-committers-leave@python.org > https://mail.python.org/mailman3/lists/pypa-committers.python.org/ > Member address: william@yossarian.net > > _______________________________________________ > PyPA-Committers mailing list -- pypa-committers@python.org > To unsubscribe send an email to pypa-committers-leave@python.org > https://mail.python.org/mailman3/lists/pypa-committers.python.org/ > Member address: miketheman@gmail.com >
Yea, making Phyllis admin would mean that GitHub enforces 2FA on the account. Relevant documentation from https://docs.github.com/en/authentication/securing-your-account-with-two-fac... (emphasis mine) Your account is selected for mandatory 2FA if you have taken some action on GitHub that shows you are a contributor. Eligible actions include: - Publishing an app or action for others. - Creating a release for your repository. - Contributing to specific high-importance repositories, such as the projects tracked by the Open Source Security Foundation <https://github.com/ossf/wg-securing-critical-projects#current-work>. - Being an administrator of a high-importance repository. - *Being an organization owner for an organization containing repositories or other users.* - Being an enterprise administrator. On Thu, May 23, 2024 at 9:24 PM William Woodruff <william@yossarian.net> wrote:
(Sorry, answering my own question: I forgot that GitHub has mandatory MFA already.)
I think as long as all PyPA org admin have a strong MFA method (meaning a security token or TOTP) then the risk is acceptable here. But I'm still happy to start/facilitate/help with a conversation between GH and thanks.dev about fixing the permissions needed here :-)
- William
On Thu, May 23, 2024 at 10:12 PM William Woodruff <william@yossarian.net> wrote:
Hey Phyllis,
I trust you completely! It's unfortunate that this integration requires admin access, however -- I don't have any objection to continuing as-is, but I'm also happy to talk with the thanks.dev owners (either directly or jointly with you) and see if this is something that can be improved on their side. I know this is me being an annoying security person, but IMO it's worth evaluating given that everything (to a first approximation) in the Python ecosystem directly or indirectly depends on the integrity of the packages under the PyPA org.
As a related question for the PyPA org admins: does the PyPA org currently have an MFA requirement? If not IMO we should consider applying one (even independently of this).
On Thu, May 23, 2024 at 5:57 PM Phyllis Dobbs <phyllis@python.org> wrote:
Hi, Bernat,
That's right. Heres' a screenshot shared of the donations PyPA had earned in thanks.dev, so you can get a sense of the level of detail. [image: Screenshot 2024-01-30 at 01.56.44.png] Thanks,
Phyllis A. Dobbs Controller Python Software Foundation
On Thu, May 23, 2024 at 10:32 AM Bernat Gabor <gaborjbernat@gmail.com> wrote:
Sounds good to me, in this case they can remain under the PSF general budget no worries. That being said then we don't actually know if those funds have been donated for pip or not as the first post implied: "PyPA where Sentry is donating funds to pip".
On Thu, May 23, 2024, 08:18 Phyllis Dobbs <phyllis@python.org> wrote:
Hi, folks,
Sorry for the delay - I was a bit busy with PyCon US.
PyPA is authorized under the PSF's thanks.dev account under my PSF account, so we'll begin monthly transfers of funds to PyPa's funds to the PSF's accounts for the project's. thanks.dev is an application that can be revoked at any time if you all prefer:
[image: image.png]
Mike, I need to have full admin rights because it is a requirement from thanks.dev to integrate as the billing manager. I promise, I won't do anything else in y'alls repos! I have similar access for Pallets right now as they were the first PSF project with thanks.dev donations. I'm pretty sure David Lord would give me a positive testimonial.
Gabor, as far as distributing funds, I believe we receive payments for all pypa pages in one lump, so it is different from Tidelift that identifies page-level income and makes it easy for the PSf to distribute funds back to individual maintainers. There are general PyPA funds that could be used for various purposes and would require a vote from the committers to release funds for a specific purpose. Would it be helpful for us to schedule a call to go over PyPA's finances?
Matthias, Jupyter and iPython are NumFOCUS' fiscal sponsorees, so the PSF can't accept funds on their behalf. But, it would be a good idea to talk to the NumFOCUS team to see if they could do a similar arrangement with Armin <http://armin@thanks.dev>from thanks.dev so more funds head to those projects.
Do you all have any other questions?
Thanks,
Phyllis A. Dobbs Controller Python Software Foundation
On Wed, May 22, 2024 at 1:41 PM Pradyun Gedam <mail@pradyunsg.me> wrote:
I agree! I've invited Phyllis as a member, and we can bump it to owner if she isn't able to get the relevant bits of access.
I'm not sure that the billing manager approach is gonna work here, but I'd say it won't hurt to make Phyllis that (if she's OK with it, which I'll wait for her to confirm to me separately, since she can't email the list without approvals). The sponsorships they're referring to is the GitHub sponsors functionality.
On Wed, 22 May 2024, 14:52 Mike, <miketheman@gmail.com> wrote:
> GitHub advertises a Billing Manager role, see more here: > > https://docs.github.com/en/organizations/managing-peoples-access-to-your-org... > > One of the listed permissions is: "Start, modify, or cancel > sponsorships" - is that what is necessary for the thanks.dev > management? > > In the spirit of what William noted, would it be worth trying that > out first, and expanding to full admin only if necessary to manage the > integration? > > -M > > On Wed, May 22, 2024 at 9:47 AM William Woodruff < > william@yossarian.net> wrote: > >> No objections in principle, but as a practical matter: is there a >> “principle of least authority” option here? In other OSS orgs I’m in we use >> fine-grained permissions to avoid giving people credentials that they don’t >> actually require (to reduce an attacker’s ability to pivot on a compromised >> account), and it’d probably be good to do the same here rather than >> providing blanket admin rights to all repos. >> >> OTOH this may not be possible from a credential/scoping >> perspective; not sure how thanks.dev works. >> >> Best, >> William >> >> Sent from mobile. Please excuse my brevity. >> >> On May 22, 2024, at 3:08 PM, Matthias Bussonnier < >> bussonniermatthias@gmail.com> wrote: >> >> >> No objections, >> >> I'm also managing thanks.dev for IPython/Jupyter, do you want me >> to enable the integration with the PyPA org ? >> (it only requires read access I believe, and I think I can only >> send a request to activate the integration, and someone else need to >> approve). >> >> I'm still a bit confused about how exactly thanks.dev works, the >> UI is a bit confusing, but my experience is that it is similar to tidelift, >> except you can forward the funds you receive to other projects – both as a >> one-time process, or recurrent. >> >> -- >> Matthias >> >> On Wed, 22 May 2024 at 14:09, Bernat Gabor <gaborjbernat@gmail.com> >> wrote: >> >>> Will PSF act here same way it does currently for tidelift? As in >>> virtualenv could also take advantage to acquire funds, that have been >>> donated? >>> >>> On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers < >>> pypa-committers@python.org> wrote: >>> >>>> Hi folks! >>>> >>>> Phyllis from the PSF reached out about being added as an admin to >>>> the pypa organisation to manage the thanks.dev integration that >>>> we have for the PyPA where Sentry is donating funds to pip. If there's any >>>> concerns with this, please let me know. If no concerns are raised by next >>>> week (Friday, 24th), I'll go ahead and do this. >>>> >>>> Best, >>>> Pradyun >>>> >>>> PS: @Phyllis Dobbs <phyllis@python.org> I did send you an invite >>>> and redacted it since I think I'll wait for folks to raise concerns before >>>> doing this. >>>> >>>> >>>> _______________________________________________ >>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>> To unsubscribe send an email to pypa-committers-leave@python.org >>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>> Member address: gaborjbernat@gmail.com >>>> >>> _______________________________________________ >>> PyPA-Committers mailing list -- pypa-committers@python.org >>> To unsubscribe send an email to pypa-committers-leave@python.org >>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>> Member address: bussonniermatthias@gmail.com >>> >> _______________________________________________ >> PyPA-Committers mailing list -- pypa-committers@python.org >> To unsubscribe send an email to pypa-committers-leave@python.org >> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >> Member address: william@yossarian.net >> >> _______________________________________________ >> PyPA-Committers mailing list -- pypa-committers@python.org >> To unsubscribe send an email to pypa-committers-leave@python.org >> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >> Member address: miketheman@gmail.com >> >
I'd like to share that it's possible to restrict who can manage thanks.dev by adding an undocumented config file at https://github.com/pypa/.thanks.dev: the filename is `THANKS.yaml` and it would contain a mapping with a key `admins:` and a value would be a sequence of strings in the format of `gh/<username>`. By default, though, they let any org owner manage the entire pool of cash (which is per-account/org, not per-project, which is annoying). On Sat, May 25, 2024 at 4:18 AM Pradyun Gedam via PyPA-Committers < pypa-committers@python.org> wrote:
Yea, making Phyllis admin would mean that GitHub enforces 2FA on the account.
Relevant documentation from https://docs.github.com/en/authentication/securing-your-account-with-two-fac... (emphasis mine)
Your account is selected for mandatory 2FA if you have taken some action on GitHub that shows you are a contributor. Eligible actions include:
- Publishing an app or action for others. - Creating a release for your repository. - Contributing to specific high-importance repositories, such as the projects tracked by the Open Source Security Foundation <https://github.com/ossf/wg-securing-critical-projects#current-work>. - Being an administrator of a high-importance repository. - *Being an organization owner for an organization containing repositories or other users.* - Being an enterprise administrator.
On Thu, May 23, 2024 at 9:24 PM William Woodruff <william@yossarian.net> wrote:
(Sorry, answering my own question: I forgot that GitHub has mandatory MFA already.)
I think as long as all PyPA org admin have a strong MFA method (meaning a security token or TOTP) then the risk is acceptable here. But I'm still happy to start/facilitate/help with a conversation between GH and thanks.dev about fixing the permissions needed here :-)
- William
On Thu, May 23, 2024 at 10:12 PM William Woodruff <william@yossarian.net> wrote:
Hey Phyllis,
I trust you completely! It's unfortunate that this integration requires admin access, however -- I don't have any objection to continuing as-is, but I'm also happy to talk with the thanks.dev owners (either directly or jointly with you) and see if this is something that can be improved on their side. I know this is me being an annoying security person, but IMO it's worth evaluating given that everything (to a first approximation) in the Python ecosystem directly or indirectly depends on the integrity of the packages under the PyPA org.
As a related question for the PyPA org admins: does the PyPA org currently have an MFA requirement? If not IMO we should consider applying one (even independently of this).
On Thu, May 23, 2024 at 5:57 PM Phyllis Dobbs <phyllis@python.org> wrote:
Hi, Bernat,
That's right. Heres' a screenshot shared of the donations PyPA had earned in thanks.dev, so you can get a sense of the level of detail. [image: Screenshot 2024-01-30 at 01.56.44.png] Thanks,
Phyllis A. Dobbs Controller Python Software Foundation
On Thu, May 23, 2024 at 10:32 AM Bernat Gabor <gaborjbernat@gmail.com> wrote:
Sounds good to me, in this case they can remain under the PSF general budget no worries. That being said then we don't actually know if those funds have been donated for pip or not as the first post implied: "PyPA where Sentry is donating funds to pip".
On Thu, May 23, 2024, 08:18 Phyllis Dobbs <phyllis@python.org> wrote:
Hi, folks,
Sorry for the delay - I was a bit busy with PyCon US.
PyPA is authorized under the PSF's thanks.dev account under my PSF account, so we'll begin monthly transfers of funds to PyPa's funds to the PSF's accounts for the project's. thanks.dev is an application that can be revoked at any time if you all prefer:
[image: image.png]
Mike, I need to have full admin rights because it is a requirement from thanks.dev to integrate as the billing manager. I promise, I won't do anything else in y'alls repos! I have similar access for Pallets right now as they were the first PSF project with thanks.dev donations. I'm pretty sure David Lord would give me a positive testimonial.
Gabor, as far as distributing funds, I believe we receive payments for all pypa pages in one lump, so it is different from Tidelift that identifies page-level income and makes it easy for the PSf to distribute funds back to individual maintainers. There are general PyPA funds that could be used for various purposes and would require a vote from the committers to release funds for a specific purpose. Would it be helpful for us to schedule a call to go over PyPA's finances?
Matthias, Jupyter and iPython are NumFOCUS' fiscal sponsorees, so the PSF can't accept funds on their behalf. But, it would be a good idea to talk to the NumFOCUS team to see if they could do a similar arrangement with Armin <http://armin@thanks.dev>from thanks.dev so more funds head to those projects.
Do you all have any other questions?
Thanks,
Phyllis A. Dobbs Controller Python Software Foundation
On Wed, May 22, 2024 at 1:41 PM Pradyun Gedam <mail@pradyunsg.me> wrote:
> I agree! I've invited Phyllis as a member, and we can bump it to > owner if she isn't able to get the relevant bits of access. > > I'm not sure that the billing manager approach is gonna work here, > but I'd say it won't hurt to make Phyllis that (if she's OK with it, which > I'll wait for her to confirm to me separately, since she can't email the > list without approvals). The sponsorships they're referring to is the > GitHub sponsors functionality. > > On Wed, 22 May 2024, 14:52 Mike, <miketheman@gmail.com> wrote: > >> GitHub advertises a Billing Manager role, see more here: >> >> https://docs.github.com/en/organizations/managing-peoples-access-to-your-org... >> >> One of the listed permissions is: "Start, modify, or cancel >> sponsorships" - is that what is necessary for the thanks.dev >> management? >> >> In the spirit of what William noted, would it be worth trying that >> out first, and expanding to full admin only if necessary to manage the >> integration? >> >> -M >> >> On Wed, May 22, 2024 at 9:47 AM William Woodruff < >> william@yossarian.net> wrote: >> >>> No objections in principle, but as a practical matter: is there a >>> “principle of least authority” option here? In other OSS orgs I’m in we use >>> fine-grained permissions to avoid giving people credentials that they don’t >>> actually require (to reduce an attacker’s ability to pivot on a compromised >>> account), and it’d probably be good to do the same here rather than >>> providing blanket admin rights to all repos. >>> >>> OTOH this may not be possible from a credential/scoping >>> perspective; not sure how thanks.dev works. >>> >>> Best, >>> William >>> >>> Sent from mobile. Please excuse my brevity. >>> >>> On May 22, 2024, at 3:08 PM, Matthias Bussonnier < >>> bussonniermatthias@gmail.com> wrote: >>> >>> >>> No objections, >>> >>> I'm also managing thanks.dev for IPython/Jupyter, do you want me >>> to enable the integration with the PyPA org ? >>> (it only requires read access I believe, and I think I can only >>> send a request to activate the integration, and someone else need to >>> approve). >>> >>> I'm still a bit confused about how exactly thanks.dev works, the >>> UI is a bit confusing, but my experience is that it is similar to tidelift, >>> except you can forward the funds you receive to other projects – both as a >>> one-time process, or recurrent. >>> >>> -- >>> Matthias >>> >>> On Wed, 22 May 2024 at 14:09, Bernat Gabor <gaborjbernat@gmail.com> >>> wrote: >>> >>>> Will PSF act here same way it does currently for tidelift? As in >>>> virtualenv could also take advantage to acquire funds, that have been >>>> donated? >>>> >>>> On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers < >>>> pypa-committers@python.org> wrote: >>>> >>>>> Hi folks! >>>>> >>>>> Phyllis from the PSF reached out about being added as an admin >>>>> to the pypa organisation to manage the thanks.dev integration >>>>> that we have for the PyPA where Sentry is donating funds to pip. If there's >>>>> any concerns with this, please let me know. If no concerns are raised by >>>>> next week (Friday, 24th), I'll go ahead and do this. >>>>> >>>>> Best, >>>>> Pradyun >>>>> >>>>> PS: @Phyllis Dobbs <phyllis@python.org> I did send you an >>>>> invite and redacted it since I think I'll wait for folks to raise concerns >>>>> before doing this. >>>>> >>>>> >>>>> _______________________________________________ >>>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>>> To unsubscribe send an email to pypa-committers-leave@python.org >>>>> >>>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>>> Member address: gaborjbernat@gmail.com >>>>> >>>> _______________________________________________ >>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>> To unsubscribe send an email to pypa-committers-leave@python.org >>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>> Member address: bussonniermatthias@gmail.com >>>> >>> _______________________________________________ >>> PyPA-Committers mailing list -- pypa-committers@python.org >>> To unsubscribe send an email to pypa-committers-leave@python.org >>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>> Member address: william@yossarian.net >>> >>> _______________________________________________ >>> PyPA-Committers mailing list -- pypa-committers@python.org >>> To unsubscribe send an email to pypa-committers-leave@python.org >>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>> Member address: miketheman@gmail.com >>> >> _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: webknjaz@redhat.com
-- Warm regards, Sviatoslav Sydorenko Software Hacker @ Ansible Core --- https://useplaintext.email/ () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments ---
Hi folks, unless anyone has strong objections, I'm going to go ahead and add Phyllis as an admin in the PyPA org for now, in the interest of not leaving money on the table, and follow up with the thanks.dev team to make an improvement here that would satisfy the concerns raised by William. On Mon, May 27, 2024 at 12:57 PM Sviatoslav Sydorenko <webknjaz@redhat.com> wrote:
I'd like to share that it's possible to restrict who can manage thanks.dev by adding an undocumented config file at https://github.com/pypa/.thanks.dev: the filename is `THANKS.yaml` and it would contain a mapping with a key `admins:` and a value would be a sequence of strings in the format of `gh/<username>`. By default, though, they let any org owner manage the entire pool of cash (which is per-account/org, not per-project, which is annoying).
On Sat, May 25, 2024 at 4:18 AM Pradyun Gedam via PyPA-Committers < pypa-committers@python.org> wrote:
Yea, making Phyllis admin would mean that GitHub enforces 2FA on the account.
Relevant documentation from https://docs.github.com/en/authentication/securing-your-account-with-two-fac... (emphasis mine)
Your account is selected for mandatory 2FA if you have taken some action on GitHub that shows you are a contributor. Eligible actions include:
- Publishing an app or action for others. - Creating a release for your repository. - Contributing to specific high-importance repositories, such as the projects tracked by the Open Source Security Foundation <https://github.com/ossf/wg-securing-critical-projects#current-work>. - Being an administrator of a high-importance repository. - *Being an organization owner for an organization containing repositories or other users.* - Being an enterprise administrator.
On Thu, May 23, 2024 at 9:24 PM William Woodruff <william@yossarian.net> wrote:
(Sorry, answering my own question: I forgot that GitHub has mandatory MFA already.)
I think as long as all PyPA org admin have a strong MFA method (meaning a security token or TOTP) then the risk is acceptable here. But I'm still happy to start/facilitate/help with a conversation between GH and thanks.dev about fixing the permissions needed here :-)
- William
On Thu, May 23, 2024 at 10:12 PM William Woodruff <william@yossarian.net> wrote:
Hey Phyllis,
I trust you completely! It's unfortunate that this integration requires admin access, however -- I don't have any objection to continuing as-is, but I'm also happy to talk with the thanks.dev owners (either directly or jointly with you) and see if this is something that can be improved on their side. I know this is me being an annoying security person, but IMO it's worth evaluating given that everything (to a first approximation) in the Python ecosystem directly or indirectly depends on the integrity of the packages under the PyPA org.
As a related question for the PyPA org admins: does the PyPA org currently have an MFA requirement? If not IMO we should consider applying one (even independently of this).
On Thu, May 23, 2024 at 5:57 PM Phyllis Dobbs <phyllis@python.org> wrote:
Hi, Bernat,
That's right. Heres' a screenshot shared of the donations PyPA had earned in thanks.dev, so you can get a sense of the level of detail. [image: Screenshot 2024-01-30 at 01.56.44.png] Thanks,
Phyllis A. Dobbs Controller Python Software Foundation
On Thu, May 23, 2024 at 10:32 AM Bernat Gabor <gaborjbernat@gmail.com> wrote:
Sounds good to me, in this case they can remain under the PSF general budget no worries. That being said then we don't actually know if those funds have been donated for pip or not as the first post implied: "PyPA where Sentry is donating funds to pip".
On Thu, May 23, 2024, 08:18 Phyllis Dobbs <phyllis@python.org> wrote:
> Hi, folks, > > Sorry for the delay - I was a bit busy with PyCon US. > > PyPA is authorized under the PSF's thanks.dev account under my PSF > account, so we'll begin monthly transfers of funds to PyPa's funds to the > PSF's accounts for the project's. thanks.dev is an application > that can be revoked at any time if you all prefer: > > [image: image.png] > > Mike, I need to have full admin rights because it is a requirement > from thanks.dev to integrate as the billing manager. I promise, I > won't do anything else in y'alls repos! I have similar access for Pallets > right now as they were the first PSF project with thanks.dev > donations. I'm pretty sure David Lord would give me a positive testimonial. > > Gabor, as far as distributing funds, I believe we receive payments > for all pypa pages in one lump, so it is different from Tidelift that > identifies page-level income and makes it easy for the PSf to distribute > funds back to individual maintainers. There are general PyPA funds that > could be used for various purposes and would require a vote from the > committers to release funds for a specific purpose. Would it be helpful > for us to schedule a call to go over PyPA's finances? > > Matthias, Jupyter and iPython are NumFOCUS' fiscal sponsorees, so > the PSF can't accept funds on their behalf. But, it would be a good idea > to talk to the NumFOCUS team to see if they could do a similar arrangement > with Armin <http://armin@thanks.dev>from thanks.dev so more funds > head to those projects. > > Do you all have any other questions? > > Thanks, > > Phyllis A. Dobbs > Controller > Python Software Foundation > > > > > On Wed, May 22, 2024 at 1:41 PM Pradyun Gedam <mail@pradyunsg.me> > wrote: > >> I agree! I've invited Phyllis as a member, and we can bump it to >> owner if she isn't able to get the relevant bits of access. >> >> I'm not sure that the billing manager approach is gonna work here, >> but I'd say it won't hurt to make Phyllis that (if she's OK with it, which >> I'll wait for her to confirm to me separately, since she can't email the >> list without approvals). The sponsorships they're referring to is the >> GitHub sponsors functionality. >> >> On Wed, 22 May 2024, 14:52 Mike, <miketheman@gmail.com> wrote: >> >>> GitHub advertises a Billing Manager role, see more here: >>> >>> https://docs.github.com/en/organizations/managing-peoples-access-to-your-org... >>> >>> One of the listed permissions is: "Start, modify, or cancel >>> sponsorships" - is that what is necessary for the thanks.dev >>> management? >>> >>> In the spirit of what William noted, would it be worth trying that >>> out first, and expanding to full admin only if necessary to manage the >>> integration? >>> >>> -M >>> >>> On Wed, May 22, 2024 at 9:47 AM William Woodruff < >>> william@yossarian.net> wrote: >>> >>>> No objections in principle, but as a practical matter: is there a >>>> “principle of least authority” option here? In other OSS orgs I’m in we use >>>> fine-grained permissions to avoid giving people credentials that they don’t >>>> actually require (to reduce an attacker’s ability to pivot on a compromised >>>> account), and it’d probably be good to do the same here rather than >>>> providing blanket admin rights to all repos. >>>> >>>> OTOH this may not be possible from a credential/scoping >>>> perspective; not sure how thanks.dev works. >>>> >>>> Best, >>>> William >>>> >>>> Sent from mobile. Please excuse my brevity. >>>> >>>> On May 22, 2024, at 3:08 PM, Matthias Bussonnier < >>>> bussonniermatthias@gmail.com> wrote: >>>> >>>> >>>> No objections, >>>> >>>> I'm also managing thanks.dev for IPython/Jupyter, do you want me >>>> to enable the integration with the PyPA org ? >>>> (it only requires read access I believe, and I think I can only >>>> send a request to activate the integration, and someone else need to >>>> approve). >>>> >>>> I'm still a bit confused about how exactly thanks.dev works, the >>>> UI is a bit confusing, but my experience is that it is similar to tidelift, >>>> except you can forward the funds you receive to other projects – both as a >>>> one-time process, or recurrent. >>>> >>>> -- >>>> Matthias >>>> >>>> On Wed, 22 May 2024 at 14:09, Bernat Gabor < >>>> gaborjbernat@gmail.com> wrote: >>>> >>>>> Will PSF act here same way it does currently for tidelift? As in >>>>> virtualenv could also take advantage to acquire funds, that have been >>>>> donated? >>>>> >>>>> On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers < >>>>> pypa-committers@python.org> wrote: >>>>> >>>>>> Hi folks! >>>>>> >>>>>> Phyllis from the PSF reached out about being added as an admin >>>>>> to the pypa organisation to manage the thanks.dev integration >>>>>> that we have for the PyPA where Sentry is donating funds to pip. If there's >>>>>> any concerns with this, please let me know. If no concerns are raised by >>>>>> next week (Friday, 24th), I'll go ahead and do this. >>>>>> >>>>>> Best, >>>>>> Pradyun >>>>>> >>>>>> PS: @Phyllis Dobbs <phyllis@python.org> I did send you an >>>>>> invite and redacted it since I think I'll wait for folks to raise concerns >>>>>> before doing this. >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>>>> To unsubscribe send an email to >>>>>> pypa-committers-leave@python.org >>>>>> >>>>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>>>> Member address: gaborjbernat@gmail.com >>>>>> >>>>> _______________________________________________ >>>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>>> To unsubscribe send an email to pypa-committers-leave@python.org >>>>> >>>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>>> Member address: bussonniermatthias@gmail.com >>>>> >>>> _______________________________________________ >>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>> To unsubscribe send an email to pypa-committers-leave@python.org >>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>> Member address: william@yossarian.net >>>> >>>> _______________________________________________ >>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>> To unsubscribe send an email to pypa-committers-leave@python.org >>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>> Member address: miketheman@gmail.com >>>> >>> _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: webknjaz@redhat.com
-- Warm regards, Sviatoslav Sydorenko
Software Hacker @ Ansible Core
--- https://useplaintext.email/ () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments --- _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: di@python.org
I've made Phyllis an owner of the PyPA org. On Fri, Sep 13, 2024 at 10:39 AM Dustin Ingram <di@python.org> wrote:
Hi folks, unless anyone has strong objections, I'm going to go ahead and add Phyllis as an admin in the PyPA org for now, in the interest of not leaving money on the table, and follow up with the thanks.dev team to make an improvement here that would satisfy the concerns raised by William.
On Mon, May 27, 2024 at 12:57 PM Sviatoslav Sydorenko <webknjaz@redhat.com> wrote:
I'd like to share that it's possible to restrict who can manage thanks.dev by adding an undocumented config file at https://github.com/pypa/.thanks.dev: the filename is `THANKS.yaml` and it would contain a mapping with a key `admins:` and a value would be a sequence of strings in the format of `gh/<username>`. By default, though, they let any org owner manage the entire pool of cash (which is per-account/org, not per-project, which is annoying).
On Sat, May 25, 2024 at 4:18 AM Pradyun Gedam via PyPA-Committers < pypa-committers@python.org> wrote:
Yea, making Phyllis admin would mean that GitHub enforces 2FA on the account.
Relevant documentation from https://docs.github.com/en/authentication/securing-your-account-with-two-fac... (emphasis mine)
Your account is selected for mandatory 2FA if you have taken some action on GitHub that shows you are a contributor. Eligible actions include:
- Publishing an app or action for others. - Creating a release for your repository. - Contributing to specific high-importance repositories, such as the projects tracked by the Open Source Security Foundation <https://github.com/ossf/wg-securing-critical-projects#current-work>. - Being an administrator of a high-importance repository. - *Being an organization owner for an organization containing repositories or other users.* - Being an enterprise administrator.
On Thu, May 23, 2024 at 9:24 PM William Woodruff <william@yossarian.net> wrote:
(Sorry, answering my own question: I forgot that GitHub has mandatory MFA already.)
I think as long as all PyPA org admin have a strong MFA method (meaning a security token or TOTP) then the risk is acceptable here. But I'm still happy to start/facilitate/help with a conversation between GH and thanks.dev about fixing the permissions needed here :-)
- William
On Thu, May 23, 2024 at 10:12 PM William Woodruff < william@yossarian.net> wrote:
Hey Phyllis,
I trust you completely! It's unfortunate that this integration requires admin access, however -- I don't have any objection to continuing as-is, but I'm also happy to talk with the thanks.dev owners (either directly or jointly with you) and see if this is something that can be improved on their side. I know this is me being an annoying security person, but IMO it's worth evaluating given that everything (to a first approximation) in the Python ecosystem directly or indirectly depends on the integrity of the packages under the PyPA org.
As a related question for the PyPA org admins: does the PyPA org currently have an MFA requirement? If not IMO we should consider applying one (even independently of this).
On Thu, May 23, 2024 at 5:57 PM Phyllis Dobbs <phyllis@python.org> wrote:
Hi, Bernat,
That's right. Heres' a screenshot shared of the donations PyPA had earned in thanks.dev, so you can get a sense of the level of detail. [image: Screenshot 2024-01-30 at 01.56.44.png] Thanks,
Phyllis A. Dobbs Controller Python Software Foundation
On Thu, May 23, 2024 at 10:32 AM Bernat Gabor <gaborjbernat@gmail.com> wrote:
> Sounds good to me, in this case they can remain under the PSF > general budget no worries. That being said then we don't actually know if > those funds have been donated for pip or not as the first post implied: "PyPA > where Sentry is donating funds to pip". > > On Thu, May 23, 2024, 08:18 Phyllis Dobbs <phyllis@python.org> > wrote: > >> Hi, folks, >> >> Sorry for the delay - I was a bit busy with PyCon US. >> >> PyPA is authorized under the PSF's thanks.dev account under my PSF >> account, so we'll begin monthly transfers of funds to PyPa's funds to the >> PSF's accounts for the project's. thanks.dev is an application >> that can be revoked at any time if you all prefer: >> >> [image: image.png] >> >> Mike, I need to have full admin rights because it is a requirement >> from thanks.dev to integrate as the billing manager. I promise, I >> won't do anything else in y'alls repos! I have similar access for Pallets >> right now as they were the first PSF project with thanks.dev >> donations. I'm pretty sure David Lord would give me a positive testimonial. >> >> Gabor, as far as distributing funds, I believe we receive payments >> for all pypa pages in one lump, so it is different from Tidelift that >> identifies page-level income and makes it easy for the PSf to distribute >> funds back to individual maintainers. There are general PyPA funds that >> could be used for various purposes and would require a vote from the >> committers to release funds for a specific purpose. Would it be helpful >> for us to schedule a call to go over PyPA's finances? >> >> Matthias, Jupyter and iPython are NumFOCUS' fiscal sponsorees, so >> the PSF can't accept funds on their behalf. But, it would be a good idea >> to talk to the NumFOCUS team to see if they could do a similar arrangement >> with Armin <http://armin@thanks.dev>from thanks.dev so more funds >> head to those projects. >> >> Do you all have any other questions? >> >> Thanks, >> >> Phyllis A. Dobbs >> Controller >> Python Software Foundation >> >> >> >> >> On Wed, May 22, 2024 at 1:41 PM Pradyun Gedam <mail@pradyunsg.me> >> wrote: >> >>> I agree! I've invited Phyllis as a member, and we can bump it to >>> owner if she isn't able to get the relevant bits of access. >>> >>> I'm not sure that the billing manager approach is gonna work here, >>> but I'd say it won't hurt to make Phyllis that (if she's OK with it, which >>> I'll wait for her to confirm to me separately, since she can't email the >>> list without approvals). The sponsorships they're referring to is the >>> GitHub sponsors functionality. >>> >>> On Wed, 22 May 2024, 14:52 Mike, <miketheman@gmail.com> wrote: >>> >>>> GitHub advertises a Billing Manager role, see more here: >>>> >>>> https://docs.github.com/en/organizations/managing-peoples-access-to-your-org... >>>> >>>> One of the listed permissions is: "Start, modify, or cancel >>>> sponsorships" - is that what is necessary for the thanks.dev >>>> management? >>>> >>>> In the spirit of what William noted, would it be worth trying >>>> that out first, and expanding to full admin only if necessary to manage the >>>> integration? >>>> >>>> -M >>>> >>>> On Wed, May 22, 2024 at 9:47 AM William Woodruff < >>>> william@yossarian.net> wrote: >>>> >>>>> No objections in principle, but as a practical matter: is there >>>>> a “principle of least authority” option here? In other OSS orgs I’m in we >>>>> use fine-grained permissions to avoid giving people credentials that they >>>>> don’t actually require (to reduce an attacker’s ability to pivot on a >>>>> compromised account), and it’d probably be good to do the same here rather >>>>> than providing blanket admin rights to all repos. >>>>> >>>>> OTOH this may not be possible from a credential/scoping >>>>> perspective; not sure how thanks.dev works. >>>>> >>>>> Best, >>>>> William >>>>> >>>>> Sent from mobile. Please excuse my brevity. >>>>> >>>>> On May 22, 2024, at 3:08 PM, Matthias Bussonnier < >>>>> bussonniermatthias@gmail.com> wrote: >>>>> >>>>> >>>>> No objections, >>>>> >>>>> I'm also managing thanks.dev for IPython/Jupyter, do you want >>>>> me to enable the integration with the PyPA org ? >>>>> (it only requires read access I believe, and I think I can only >>>>> send a request to activate the integration, and someone else need to >>>>> approve). >>>>> >>>>> I'm still a bit confused about how exactly thanks.dev works, >>>>> the UI is a bit confusing, but my experience is that it is similar to >>>>> tidelift, except you can forward the funds you receive to other projects – >>>>> both as a one-time process, or recurrent. >>>>> >>>>> -- >>>>> Matthias >>>>> >>>>> On Wed, 22 May 2024 at 14:09, Bernat Gabor < >>>>> gaborjbernat@gmail.com> wrote: >>>>> >>>>>> Will PSF act here same way it does currently for tidelift? As >>>>>> in virtualenv could also take advantage to acquire funds, that have been >>>>>> donated? >>>>>> >>>>>> On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers < >>>>>> pypa-committers@python.org> wrote: >>>>>> >>>>>>> Hi folks! >>>>>>> >>>>>>> Phyllis from the PSF reached out about being added as an admin >>>>>>> to the pypa organisation to manage the thanks.dev integration >>>>>>> that we have for the PyPA where Sentry is donating funds to pip. If there's >>>>>>> any concerns with this, please let me know. If no concerns are raised by >>>>>>> next week (Friday, 24th), I'll go ahead and do this. >>>>>>> >>>>>>> Best, >>>>>>> Pradyun >>>>>>> >>>>>>> PS: @Phyllis Dobbs <phyllis@python.org> I did send you an >>>>>>> invite and redacted it since I think I'll wait for folks to raise concerns >>>>>>> before doing this. >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>>>>> To unsubscribe send an email to >>>>>>> pypa-committers-leave@python.org >>>>>>> >>>>>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>>>>> Member address: gaborjbernat@gmail.com >>>>>>> >>>>>> _______________________________________________ >>>>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>>>> To unsubscribe send an email to >>>>>> pypa-committers-leave@python.org >>>>>> >>>>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>>>> Member address: bussonniermatthias@gmail.com >>>>>> >>>>> _______________________________________________ >>>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>>> To unsubscribe send an email to pypa-committers-leave@python.org >>>>> >>>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>>> Member address: william@yossarian.net >>>>> >>>>> _______________________________________________ >>>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>>> To unsubscribe send an email to pypa-committers-leave@python.org >>>>> >>>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>>> Member address: miketheman@gmail.com >>>>> >>>> _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: webknjaz@redhat.com
-- Warm regards, Sviatoslav Sydorenko
Software Hacker @ Ansible Core
--- https://useplaintext.email/ () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments --- _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: di@python.org
Thank you, Dustin! I pulled down $6,766 in donations made via thanks.dev for PyPa today! The two largest sources of donations are Sentry and Codecov with smaller amounts coming from Sourcegraph. PyPA's financials for March <https://drive.google.com/file/d/1_JzjgomVFSsq0dC3nrsM-qgHYSlbVH42/view?usp=d...> and June <https://drive.google.com/file/d/1LC6HmgdZowKGuk4NTtGEBEl0fhpitIez/view?usp=drive_link>of this year to reflect this additional donation income. Thanks, Phyllis A. Dobbs Controller Python Software Foundation On Mon, Sep 16, 2024 at 3:48 PM Dustin Ingram <di@python.org> wrote:
I've made Phyllis an owner of the PyPA org.
On Fri, Sep 13, 2024 at 10:39 AM Dustin Ingram <di@python.org> wrote:
Hi folks, unless anyone has strong objections, I'm going to go ahead and add Phyllis as an admin in the PyPA org for now, in the interest of not leaving money on the table, and follow up with the thanks.dev team to make an improvement here that would satisfy the concerns raised by William.
On Mon, May 27, 2024 at 12:57 PM Sviatoslav Sydorenko < webknjaz@redhat.com> wrote:
I'd like to share that it's possible to restrict who can manage thanks.dev by adding an undocumented config file at https://github.com/pypa/.thanks.dev: the filename is `THANKS.yaml` and it would contain a mapping with a key `admins:` and a value would be a sequence of strings in the format of `gh/<username>`. By default, though, they let any org owner manage the entire pool of cash (which is per-account/org, not per-project, which is annoying).
On Sat, May 25, 2024 at 4:18 AM Pradyun Gedam via PyPA-Committers < pypa-committers@python.org> wrote:
Yea, making Phyllis admin would mean that GitHub enforces 2FA on the account.
Relevant documentation from https://docs.github.com/en/authentication/securing-your-account-with-two-fac... (emphasis mine)
Your account is selected for mandatory 2FA if you have taken some action on GitHub that shows you are a contributor. Eligible actions include:
- Publishing an app or action for others. - Creating a release for your repository. - Contributing to specific high-importance repositories, such as the projects tracked by the Open Source Security Foundation <https://github.com/ossf/wg-securing-critical-projects#current-work> . - Being an administrator of a high-importance repository. - *Being an organization owner for an organization containing repositories or other users.* - Being an enterprise administrator.
On Thu, May 23, 2024 at 9:24 PM William Woodruff <william@yossarian.net> wrote:
(Sorry, answering my own question: I forgot that GitHub has mandatory MFA already.)
I think as long as all PyPA org admin have a strong MFA method (meaning a security token or TOTP) then the risk is acceptable here. But I'm still happy to start/facilitate/help with a conversation between GH and thanks.dev about fixing the permissions needed here :-)
- William
On Thu, May 23, 2024 at 10:12 PM William Woodruff < william@yossarian.net> wrote:
Hey Phyllis,
I trust you completely! It's unfortunate that this integration requires admin access, however -- I don't have any objection to continuing as-is, but I'm also happy to talk with the thanks.dev owners (either directly or jointly with you) and see if this is something that can be improved on their side. I know this is me being an annoying security person, but IMO it's worth evaluating given that everything (to a first approximation) in the Python ecosystem directly or indirectly depends on the integrity of the packages under the PyPA org.
As a related question for the PyPA org admins: does the PyPA org currently have an MFA requirement? If not IMO we should consider applying one (even independently of this).
On Thu, May 23, 2024 at 5:57 PM Phyllis Dobbs <phyllis@python.org> wrote:
> Hi, Bernat, > > That's right. Heres' a screenshot shared of the donations PyPA had > earned in thanks.dev, so you can get a sense of the level of > detail. > [image: Screenshot 2024-01-30 at 01.56.44.png] > Thanks, > > Phyllis A. Dobbs > Controller > Python Software Foundation > > > > > On Thu, May 23, 2024 at 10:32 AM Bernat Gabor < > gaborjbernat@gmail.com> wrote: > >> Sounds good to me, in this case they can remain under the PSF >> general budget no worries. That being said then we don't actually know if >> those funds have been donated for pip or not as the first post implied: "PyPA >> where Sentry is donating funds to pip". >> >> On Thu, May 23, 2024, 08:18 Phyllis Dobbs <phyllis@python.org> >> wrote: >> >>> Hi, folks, >>> >>> Sorry for the delay - I was a bit busy with PyCon US. >>> >>> PyPA is authorized under the PSF's thanks.dev account under my >>> PSF account, so we'll begin monthly transfers of funds to PyPa's funds to >>> the PSF's accounts for the project's. thanks.dev is an >>> application that can be revoked at any time if you all prefer: >>> >>> [image: image.png] >>> >>> Mike, I need to have full admin rights because it is a requirement >>> from thanks.dev to integrate as the billing manager. I promise, >>> I won't do anything else in y'alls repos! I have similar access for >>> Pallets right now as they were the first PSF project with >>> thanks.dev donations. I'm pretty sure David Lord would give me a >>> positive testimonial. >>> >>> Gabor, as far as distributing funds, I believe we receive payments >>> for all pypa pages in one lump, so it is different from Tidelift that >>> identifies page-level income and makes it easy for the PSf to distribute >>> funds back to individual maintainers. There are general PyPA funds that >>> could be used for various purposes and would require a vote from the >>> committers to release funds for a specific purpose. Would it be helpful >>> for us to schedule a call to go over PyPA's finances? >>> >>> Matthias, Jupyter and iPython are NumFOCUS' fiscal sponsorees, so >>> the PSF can't accept funds on their behalf. But, it would be a good idea >>> to talk to the NumFOCUS team to see if they could do a similar arrangement >>> with Armin <http://armin@thanks.dev>from thanks.dev so more funds >>> head to those projects. >>> >>> Do you all have any other questions? >>> >>> Thanks, >>> >>> Phyllis A. Dobbs >>> Controller >>> Python Software Foundation >>> >>> >>> >>> >>> On Wed, May 22, 2024 at 1:41 PM Pradyun Gedam <mail@pradyunsg.me> >>> wrote: >>> >>>> I agree! I've invited Phyllis as a member, and we can bump it to >>>> owner if she isn't able to get the relevant bits of access. >>>> >>>> I'm not sure that the billing manager approach is gonna work >>>> here, but I'd say it won't hurt to make Phyllis that (if she's OK with it, >>>> which I'll wait for her to confirm to me separately, since she can't email >>>> the list without approvals). The sponsorships they're referring to is the >>>> GitHub sponsors functionality. >>>> >>>> On Wed, 22 May 2024, 14:52 Mike, <miketheman@gmail.com> wrote: >>>> >>>>> GitHub advertises a Billing Manager role, see more here: >>>>> >>>>> https://docs.github.com/en/organizations/managing-peoples-access-to-your-org... >>>>> >>>>> One of the listed permissions is: "Start, modify, or cancel >>>>> sponsorships" - is that what is necessary for the thanks.dev >>>>> management? >>>>> >>>>> In the spirit of what William noted, would it be worth trying >>>>> that out first, and expanding to full admin only if necessary to manage the >>>>> integration? >>>>> >>>>> -M >>>>> >>>>> On Wed, May 22, 2024 at 9:47 AM William Woodruff < >>>>> william@yossarian.net> wrote: >>>>> >>>>>> No objections in principle, but as a practical matter: is there >>>>>> a “principle of least authority” option here? In other OSS orgs I’m in we >>>>>> use fine-grained permissions to avoid giving people credentials that they >>>>>> don’t actually require (to reduce an attacker’s ability to pivot on a >>>>>> compromised account), and it’d probably be good to do the same here rather >>>>>> than providing blanket admin rights to all repos. >>>>>> >>>>>> OTOH this may not be possible from a credential/scoping >>>>>> perspective; not sure how thanks.dev works. >>>>>> >>>>>> Best, >>>>>> William >>>>>> >>>>>> Sent from mobile. Please excuse my brevity. >>>>>> >>>>>> On May 22, 2024, at 3:08 PM, Matthias Bussonnier < >>>>>> bussonniermatthias@gmail.com> wrote: >>>>>> >>>>>> >>>>>> No objections, >>>>>> >>>>>> I'm also managing thanks.dev for IPython/Jupyter, do you want >>>>>> me to enable the integration with the PyPA org ? >>>>>> (it only requires read access I believe, and I think I can only >>>>>> send a request to activate the integration, and someone else need to >>>>>> approve). >>>>>> >>>>>> I'm still a bit confused about how exactly thanks.dev works, >>>>>> the UI is a bit confusing, but my experience is that it is similar to >>>>>> tidelift, except you can forward the funds you receive to other projects – >>>>>> both as a one-time process, or recurrent. >>>>>> >>>>>> -- >>>>>> Matthias >>>>>> >>>>>> On Wed, 22 May 2024 at 14:09, Bernat Gabor < >>>>>> gaborjbernat@gmail.com> wrote: >>>>>> >>>>>>> Will PSF act here same way it does currently for tidelift? As >>>>>>> in virtualenv could also take advantage to acquire funds, that have been >>>>>>> donated? >>>>>>> >>>>>>> On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers < >>>>>>> pypa-committers@python.org> wrote: >>>>>>> >>>>>>>> Hi folks! >>>>>>>> >>>>>>>> Phyllis from the PSF reached out about being added as an >>>>>>>> admin to the pypa organisation to manage the thanks.dev >>>>>>>> integration that we have for the PyPA where Sentry is donating funds to >>>>>>>> pip. If there's any concerns with this, please let me know. If no concerns >>>>>>>> are raised by next week (Friday, 24th), I'll go ahead and do this. >>>>>>>> >>>>>>>> Best, >>>>>>>> Pradyun >>>>>>>> >>>>>>>> PS: @Phyllis Dobbs <phyllis@python.org> I did send you an >>>>>>>> invite and redacted it since I think I'll wait for folks to raise concerns >>>>>>>> before doing this. >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>>>>>> To unsubscribe send an email to >>>>>>>> pypa-committers-leave@python.org >>>>>>>> >>>>>>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>>>>>> Member address: gaborjbernat@gmail.com >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>>>>> To unsubscribe send an email to >>>>>>> pypa-committers-leave@python.org >>>>>>> >>>>>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>>>>> Member address: bussonniermatthias@gmail.com >>>>>>> >>>>>> _______________________________________________ >>>>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>>>> To unsubscribe send an email to >>>>>> pypa-committers-leave@python.org >>>>>> >>>>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>>>> Member address: william@yossarian.net >>>>>> >>>>>> _______________________________________________ >>>>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>>>> To unsubscribe send an email to >>>>>> pypa-committers-leave@python.org >>>>>> >>>>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>>>> Member address: miketheman@gmail.com >>>>>> >>>>> _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: webknjaz@redhat.com
-- Warm regards, Sviatoslav Sydorenko
Software Hacker @ Ansible Core
--- https://useplaintext.email/ () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments --- _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: di@python.org
Thank YOU, Phyllis! Folks, a reminder that these funds are available for use on PyPA projects, please see https://mail.python.org/archives/list/pypa-committers@python.org/thread/RG3P... for details. On Tue, Sep 17, 2024 at 11:29 AM Phyllis Dobbs <phyllis@python.org> wrote:
Thank you, Dustin!
I pulled down $6,766 in donations made via thanks.dev for PyPa today! The two largest sources of donations are Sentry and Codecov with smaller amounts coming from Sourcegraph.
PyPA's financials for March <https://drive.google.com/file/d/1_JzjgomVFSsq0dC3nrsM-qgHYSlbVH42/view?usp=d...> and June <https://drive.google.com/file/d/1LC6HmgdZowKGuk4NTtGEBEl0fhpitIez/view?usp=drive_link>of this year to reflect this additional donation income.
Thanks,
Phyllis A. Dobbs Controller Python Software Foundation
On Mon, Sep 16, 2024 at 3:48 PM Dustin Ingram <di@python.org> wrote:
I've made Phyllis an owner of the PyPA org.
On Fri, Sep 13, 2024 at 10:39 AM Dustin Ingram <di@python.org> wrote:
Hi folks, unless anyone has strong objections, I'm going to go ahead and add Phyllis as an admin in the PyPA org for now, in the interest of not leaving money on the table, and follow up with the thanks.dev team to make an improvement here that would satisfy the concerns raised by William.
On Mon, May 27, 2024 at 12:57 PM Sviatoslav Sydorenko < webknjaz@redhat.com> wrote:
I'd like to share that it's possible to restrict who can manage thanks.dev by adding an undocumented config file at https://github.com/pypa/.thanks.dev: the filename is `THANKS.yaml` and it would contain a mapping with a key `admins:` and a value would be a sequence of strings in the format of `gh/<username>`. By default, though, they let any org owner manage the entire pool of cash (which is per-account/org, not per-project, which is annoying).
On Sat, May 25, 2024 at 4:18 AM Pradyun Gedam via PyPA-Committers < pypa-committers@python.org> wrote:
Yea, making Phyllis admin would mean that GitHub enforces 2FA on the account.
Relevant documentation from https://docs.github.com/en/authentication/securing-your-account-with-two-fac... (emphasis mine)
Your account is selected for mandatory 2FA if you have taken some action on GitHub that shows you are a contributor. Eligible actions include:
- Publishing an app or action for others. - Creating a release for your repository. - Contributing to specific high-importance repositories, such as the projects tracked by the Open Source Security Foundation <https://github.com/ossf/wg-securing-critical-projects#current-work> . - Being an administrator of a high-importance repository. - *Being an organization owner for an organization containing repositories or other users.* - Being an enterprise administrator.
On Thu, May 23, 2024 at 9:24 PM William Woodruff < william@yossarian.net> wrote:
(Sorry, answering my own question: I forgot that GitHub has mandatory MFA already.)
I think as long as all PyPA org admin have a strong MFA method (meaning a security token or TOTP) then the risk is acceptable here. But I'm still happy to start/facilitate/help with a conversation between GH and thanks.dev about fixing the permissions needed here :-)
- William
On Thu, May 23, 2024 at 10:12 PM William Woodruff < william@yossarian.net> wrote:
> Hey Phyllis, > > I trust you completely! It's unfortunate that this integration > requires admin access, however -- I don't have any objection to continuing > as-is, but I'm also happy to talk with the thanks.dev owners > (either directly or jointly with you) and see if this is something that can > be improved on their side. I know this is me being an annoying security > person, but IMO it's worth evaluating given that everything (to a first > approximation) in the Python ecosystem directly or indirectly depends on > the integrity of the packages under the PyPA org. > > As a related question for the PyPA org admins: does the PyPA org > currently have an MFA requirement? If not IMO we should consider applying > one (even independently of this). > > On Thu, May 23, 2024 at 5:57 PM Phyllis Dobbs <phyllis@python.org> > wrote: > >> Hi, Bernat, >> >> That's right. Heres' a screenshot shared of the donations PyPA had >> earned in thanks.dev, so you can get a sense of the level of >> detail. >> [image: Screenshot 2024-01-30 at 01.56.44.png] >> Thanks, >> >> Phyllis A. Dobbs >> Controller >> Python Software Foundation >> >> >> >> >> On Thu, May 23, 2024 at 10:32 AM Bernat Gabor < >> gaborjbernat@gmail.com> wrote: >> >>> Sounds good to me, in this case they can remain under the PSF >>> general budget no worries. That being said then we don't actually know if >>> those funds have been donated for pip or not as the first post implied: "PyPA >>> where Sentry is donating funds to pip". >>> >>> On Thu, May 23, 2024, 08:18 Phyllis Dobbs <phyllis@python.org> >>> wrote: >>> >>>> Hi, folks, >>>> >>>> Sorry for the delay - I was a bit busy with PyCon US. >>>> >>>> PyPA is authorized under the PSF's thanks.dev account under my >>>> PSF account, so we'll begin monthly transfers of funds to PyPa's funds to >>>> the PSF's accounts for the project's. thanks.dev is an >>>> application that can be revoked at any time if you all prefer: >>>> >>>> [image: image.png] >>>> >>>> Mike, I need to have full admin rights because it is a >>>> requirement from thanks.dev to integrate as the billing >>>> manager. I promise, I won't do anything else in y'alls repos! I have >>>> similar access for Pallets right now as they were the first PSF project >>>> with thanks.dev donations. I'm pretty sure David Lord would >>>> give me a positive testimonial. >>>> >>>> Gabor, as far as distributing funds, I believe we receive >>>> payments for all pypa pages in one lump, so it is different from Tidelift >>>> that identifies page-level income and makes it easy for the PSf to >>>> distribute funds back to individual maintainers. There are general PyPA >>>> funds that could be used for various purposes and would require a vote from >>>> the committers to release funds for a specific purpose. Would it be >>>> helpful for us to schedule a call to go over PyPA's finances? >>>> >>>> Matthias, Jupyter and iPython are NumFOCUS' fiscal sponsorees, so >>>> the PSF can't accept funds on their behalf. But, it would be a good idea >>>> to talk to the NumFOCUS team to see if they could do a similar arrangement >>>> with Armin <http://armin@thanks.dev>from thanks.dev so more >>>> funds head to those projects. >>>> >>>> Do you all have any other questions? >>>> >>>> Thanks, >>>> >>>> Phyllis A. Dobbs >>>> Controller >>>> Python Software Foundation >>>> >>>> >>>> >>>> >>>> On Wed, May 22, 2024 at 1:41 PM Pradyun Gedam <mail@pradyunsg.me> >>>> wrote: >>>> >>>>> I agree! I've invited Phyllis as a member, and we can bump it to >>>>> owner if she isn't able to get the relevant bits of access. >>>>> >>>>> I'm not sure that the billing manager approach is gonna work >>>>> here, but I'd say it won't hurt to make Phyllis that (if she's OK with it, >>>>> which I'll wait for her to confirm to me separately, since she can't email >>>>> the list without approvals). The sponsorships they're referring to is the >>>>> GitHub sponsors functionality. >>>>> >>>>> On Wed, 22 May 2024, 14:52 Mike, <miketheman@gmail.com> wrote: >>>>> >>>>>> GitHub advertises a Billing Manager role, see more here: >>>>>> >>>>>> https://docs.github.com/en/organizations/managing-peoples-access-to-your-org... >>>>>> >>>>>> One of the listed permissions is: "Start, modify, or cancel >>>>>> sponsorships" - is that what is necessary for the thanks.dev >>>>>> management? >>>>>> >>>>>> In the spirit of what William noted, would it be worth trying >>>>>> that out first, and expanding to full admin only if necessary to manage the >>>>>> integration? >>>>>> >>>>>> -M >>>>>> >>>>>> On Wed, May 22, 2024 at 9:47 AM William Woodruff < >>>>>> william@yossarian.net> wrote: >>>>>> >>>>>>> No objections in principle, but as a practical matter: is >>>>>>> there a “principle of least authority” option here? In other OSS orgs I’m >>>>>>> in we use fine-grained permissions to avoid giving people credentials that >>>>>>> they don’t actually require (to reduce an attacker’s ability to pivot on a >>>>>>> compromised account), and it’d probably be good to do the same here rather >>>>>>> than providing blanket admin rights to all repos. >>>>>>> >>>>>>> OTOH this may not be possible from a credential/scoping >>>>>>> perspective; not sure how thanks.dev works. >>>>>>> >>>>>>> Best, >>>>>>> William >>>>>>> >>>>>>> Sent from mobile. Please excuse my brevity. >>>>>>> >>>>>>> On May 22, 2024, at 3:08 PM, Matthias Bussonnier < >>>>>>> bussonniermatthias@gmail.com> wrote: >>>>>>> >>>>>>> >>>>>>> No objections, >>>>>>> >>>>>>> I'm also managing thanks.dev for IPython/Jupyter, do you want >>>>>>> me to enable the integration with the PyPA org ? >>>>>>> (it only requires read access I believe, and I think I can >>>>>>> only send a request to activate the integration, and someone else need to >>>>>>> approve). >>>>>>> >>>>>>> I'm still a bit confused about how exactly thanks.dev works, >>>>>>> the UI is a bit confusing, but my experience is that it is similar to >>>>>>> tidelift, except you can forward the funds you receive to other projects – >>>>>>> both as a one-time process, or recurrent. >>>>>>> >>>>>>> -- >>>>>>> Matthias >>>>>>> >>>>>>> On Wed, 22 May 2024 at 14:09, Bernat Gabor < >>>>>>> gaborjbernat@gmail.com> wrote: >>>>>>> >>>>>>>> Will PSF act here same way it does currently for tidelift? As >>>>>>>> in virtualenv could also take advantage to acquire funds, that have been >>>>>>>> donated? >>>>>>>> >>>>>>>> On Wed, May 22, 2024, 08:03 Pradyun Gedam via PyPA-Committers >>>>>>>> <pypa-committers@python.org> wrote: >>>>>>>> >>>>>>>>> Hi folks! >>>>>>>>> >>>>>>>>> Phyllis from the PSF reached out about being added as an >>>>>>>>> admin to the pypa organisation to manage the thanks.dev >>>>>>>>> integration that we have for the PyPA where Sentry is donating funds to >>>>>>>>> pip. If there's any concerns with this, please let me know. If no concerns >>>>>>>>> are raised by next week (Friday, 24th), I'll go ahead and do this. >>>>>>>>> >>>>>>>>> Best, >>>>>>>>> Pradyun >>>>>>>>> >>>>>>>>> PS: @Phyllis Dobbs <phyllis@python.org> I did send you an >>>>>>>>> invite and redacted it since I think I'll wait for folks to raise concerns >>>>>>>>> before doing this. >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>>>>>>> To unsubscribe send an email to >>>>>>>>> pypa-committers-leave@python.org >>>>>>>>> >>>>>>>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>>>>>>> Member address: gaborjbernat@gmail.com >>>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>>>>>> To unsubscribe send an email to >>>>>>>> pypa-committers-leave@python.org >>>>>>>> >>>>>>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>>>>>> Member address: bussonniermatthias@gmail.com >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>>>>> To unsubscribe send an email to >>>>>>> pypa-committers-leave@python.org >>>>>>> >>>>>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>>>>> Member address: william@yossarian.net >>>>>>> >>>>>>> _______________________________________________ >>>>>>> PyPA-Committers mailing list -- pypa-committers@python.org >>>>>>> To unsubscribe send an email to >>>>>>> pypa-committers-leave@python.org >>>>>>> >>>>>>> https://mail.python.org/mailman3/lists/pypa-committers.python.org/ >>>>>>> Member address: miketheman@gmail.com >>>>>>> >>>>>> _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: webknjaz@redhat.com
-- Warm regards, Sviatoslav Sydorenko
Software Hacker @ Ansible Core
--- https://useplaintext.email/ () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments --- _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3/lists/pypa-committers.python.org/ Member address: di@python.org
participants (8)
-
Bernat Gabor
-
Dustin Ingram
-
Matthias Bussonnier
-
Mike
-
Phyllis Dobbs
-
Pradyun Gedam
-
Sviatoslav Sydorenko
-
William Woodruff