See also https://discuss.python.org/t/remove-coordinator-role-of-inactive-coordinator... for the security of bugs.python.org. So far, no action was taken. Inactive coordinators kept their permission.
For GitHub, I'm using a Yubikey and FreeOTP for the 2FA.
Victor
On Mon, Jun 14, 2021 at 9:38 PM Brett Cannon <brett@python.org> wrote:
I have discovered someone tried to break into my GitHub account (you can check yourself by going to https://github.com/settings/security-log and looking for "failed to login" attempts for potentially odd geographical locations for yourself). CPython probably would have been the biggest target for them had they gotten in (my work stuff is all open source and it would have required breaking into another account). But GitHub has a completely unique password and MFA turned on, so they were unsuccessful.
Please make sure you have a unique password for your GitHub account and that you have 2FA/MFA turned on (I honestly think we should start requiring this; I'm sure we can get money for folks to get security keys). Other languages like PHP have been successfully hacked (https://arstechnica.com/gadgets/2021/03/hackers-backdoor-php-source-code-aft...), so this isn't a hypothetical anymore that we would be targets for folks who want to install a backdoor into one of the world's most popular programming languages and is now mission-critical for a lot of massive corporations and governments.
python-committers mailing list -- python-committers@python.org To unsubscribe send an email to python-committers-leave@python.org https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/python-committers@python.org/message/I... Code of Conduct: https://www.python.org/psf/codeofconduct/
-- Night gathers, and now my watch begins. It shall not end until my death.