HTTPX designated as critical on PyPI #2299
Replies: 3 comments 5 replies
-
|
I thought being part of encode required 2fa, I dont think I had it before |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @florimondmanca for bringing this up for discussion.
I think encode requires 2fa on GitHub, but not necessarily on PyPI. I'm not sure who controls the PyPI token, but it would be a good idea for that account to have 2fa set up. Does anyone know who owns the PyPI token? How is the token scoped (all projects for the account, or only one project per token)? Is it rotated with any regularity? |
Beta Was this translation helpful? Give feedback.
-
Probably Tom.
Should be per project.
afaik, no. @tomchristie should be able to confirm what I said. |
Beta Was this translation helpful? Give feedback.
-
Correct.
Correct.
Nope. Security-wise I don't believe we have any pressing need for rotation, given how it is used. I don't know the token value, nd I'm no longer able to access it. The only places where it is stored are within GitHub's infra as a completely hidden environment variable...
...and within PyPI, which also doesn't allow me to view it...
Agreed. I will take a look at that. Perhaps we could get someone(s) else on the team to also have 2fa & a key? Ideally I'd suggest we have 3 team members with privileges over our PyPI projects, and admin rights to the org. (Encode OSS can finance the purchase of the keys, and we should also look at how we deal with our finances, invoices, salaries, proposals. But that's a different story.) |
Beta Was this translation helpful? Give feedback.
-
|
Sounds like a good plan. I use a YubiKey 5C NFC for PyPI and GitHub, and have been very happy with it.
|
Beta Was this translation helpful? Give feedback.
-
|
I have never released anything on PyPI so I have no idea how that is structured. I guess that either there is a single account that has publishing rights on PyPI, and to which encode/operations have access, or each member of encode/operations has their own account, that has publishing rights on PyPI? |
Beta Was this translation helpful? Give feedback.
-
|
I'm not an owner of any encode project, and I'm part of |
Beta Was this translation helpful? Give feedback.
-
I guess that's the case. cc @tomchristie |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi @encode/maintainers,
Ive just received an email today from PyPI indicating HTTPX has been designated as a “critical project”.
The impact seems to be: 2FA must be enabled to “add new releases or manage the project”.
Tweet: https://twitter.com/pypi/status/1545455297388584960
I’m raising this discussion to discuss potential changes this induces for us.
As I understand we create releases through a PyPI token. Does this mean the account attached to the token has to enable 2FA so we can create further releases?
On my end, I can see I cannot access the “Manage” section (button disabled) for httpx on PyPI anymore, presumably until I enable 2FA.
Beta Was this translation helpful? Give feedback.
All reactions