Closed dkastl closed 3 years ago
I agree @dkastl . It's a good and necessary practice these days. I have 2FA in my company's repository.
Thanks @cayetanobv , I also make this mandatory for the company where it can be done for new services. The problem are things like pgRouting, which exist for so long time. And enforcing 2FA will cause 21 members to be removed from the organization. I hope this issue will lower the number ;-)
Members to be informed about 2FA
Hi pgRouting Team! Thanks for starting this discussion. I completely agree with the idea of enabling 2FA. I have updated my personal settings to enable 2FA on my account. Thanks!
Hmm, response is really slow regarding this issue, so either enabling 2FA is a very bothersome task ... or notifications do not reach affected users.
Anyway, let's wait another three days and then enable 2FA. Those who will be removed from the organization can re-apply or just use pull requests if necessary.
Final call to enable 2FA! Here is a link to the documentation: https://docs.github.com/en/github/authenticating-to-github/configuring-two-factor-authentication
@cvvergara , OK to enable it? This will remove at the moment 15 people from some pgRouting team, however:
But I would like to get this done.
@dkastl I'm okay with this change since I don't make any direct commits to pgRouting. Unfortunately the way Github has implemented 2-factor authentication requires me to use my cell phone which I have off most of the time. Given I never commit anything directly to GitHub it's a bit too annoying for my needs. I'll just do pull requests as needed.
Thanks @robe2 , I actually didn't know about this mobile phone requirement, but also heard from @mbasa about this. I only find 2FA with AWS very annoying, but with Github I have some Yubikeys as well as a 2FA app registered and I can't remember to ever be asked for my mobile phone. In general Github only asks me very rarely to login again, and when I need to confirm some actions the password is always an option.
But with Github I have some Yubikeys as well as a 2FA app registered
How does the YubiKey thing work -- you still need a 2FA app with it and if so which one do you use. I assume that might work for me as I just want a hardware device to plug into my computer and not have to ever use my cell phone for anything. Other 2-factor tools have an option to call a landline so I use that for many of my other 2FA requirements, and yah Amazon 2FA is extremely painful.
Yubikey is usually a USB key. Also Google sells something similar. There are types with NFC to also work with a smartphone, but I do not work on github with my phone, so I don't need this ;-)
Personally I always try to have a few alternatives not to lock myself out, like:
... well and as a different project I'm currently working on this: https://consento.org/ ... so in the future hopefully you can do 2FA with people you trust ;-)
@cvvergara , OK to enable it? This will remove at the moment 15 people from some pgRouting team, however:
* it does not prevent anyone to continue filing issues or submit pull requests * it will probably remove mostly inactive members * we can add anyone again on request
But I would like to get this done.
OK
So from active members, dkastl is OK robe2 is OK cvvergara is OK Rohith hasn't participated on decisions lately So general vote is OK
Since this is open for a while already, I will proceed to enforce 2FA and anyone who wants to be added back, please enable 2FA and let me know.
These days it's good practice to use multi-factor authentication like 2FA to better secure accounts for webservices like Github. When pgRouting org on Github was created 2FA did not exist yet, but when I create a new organization now I always make 2FA mandatory for organization members.
In my opinion this is necessary, because we are in some way responsible for the code we publish, and lots of distributions and packagers build pgRouting for their platforms when we publish a new release.
It would be a serious problem, if malicious code would make it into a package, that people install with admin permissions. 2FA is one possibility to make it more difficult for something like this to happen.
However, there is a problem: 21 members of pgRouting would be removed, if 2FA would be enforced today:
I think this number is high and unfortunately there are also active contributors on this list.
I would like to encourage everyone to enable 2FA for your Github account, so we can secure this organization better.
Feel free to comment, if you are not comfortable with using 2FA: @pgRouting/admins @pgRouting/gsoc @pgRouting/osm2pgrouting @pgRouting/pgroutinglayer