On Tue, Jun 15, 2021 at 11:08 AM Mariatta <mariatta@python.org> wrote:
Thanks for sharing your experience, and I think it's important for us core developers to be careful and vigilant about this.
I was wondering if we should add under the "core developers responsibility" section ( https://devguide.python.org/coredev/#responsibilities), about securing their GitHub account with 2FA/MFA? I think this is something that can be made as required by the org admins. (and add that we'll work with folks if they need assistance in setting those up).
Yes, there's a setting at I believe the org level where we can require 2FA. I've tossed something on the SC agenda (which is currently massive, so who knows how long it will be before we get to this) to see if this is something we want to consider (if 2FA would actually stop you from contributing, do feel free to speak up, otherwise I assume it's a situation like Tim where we just need to help you figure out how to make it work).
-Brett
On Mon, Jun 14, 2021 at 12:38 PM Brett Cannon <brett@python.org> wrote:
I have discovered someone tried to break into my GitHub account (you can check yourself by going to https://github.com/settings/security-log and looking for "failed to login" attempts for potentially odd geographical locations for yourself). CPython probably would have been the biggest target for them had they gotten in (my work stuff is all open source and it would have required breaking into another account). But GitHub has a completely unique password and MFA turned on, so they were unsuccessful.
Please make sure you have a unique password for your GitHub account and that you have 2FA/MFA turned on (I honestly think we should start requiring this; I'm sure we can get money for folks to get security keys). Other languages like PHP have been successfully hacked ( https://arstechnica.com/gadgets/2021/03/hackers-backdoor-php-source-code-aft...), so this isn't a hypothetical anymore that we would be targets for folks who want to install a backdoor into one of the world's most popular programming languages and is now mission-critical for a lot of massive corporations and governments.
python-committers mailing list -- python-committers@python.org To unsubscribe send an email to python-committers-leave@python.org https://mail.python.org/mailman3/lists/python-committers.python.org/ Message archived at https://mail.python.org/archives/list/python-committers@python.org/message/I... Code of Conduct: https://www.python.org/psf/codeofconduct/