Closed cjw296 closed 4 months ago
hugovk
commented
4 months ago It's legit. It was used for the first time last year. I believe it's a WordPress site running CiviCRM.
It's linked to at least from https://www.python.org/psf/membership/supporting/ in the "sign up or renew here" link, and at https://discuss.python.org/t/important-affirm-your-psf-membership-voting-status/27502, posted by the PSF director of infrastructure.
cjw296
commented
4 months ago Well, the PHP is a little disappointing then :-/
I certainly voted last year, which is why I'm surprised I have no credentials in password stores for it, which also raises concerns.
Posting to discuss.python.org only also isn't great, I suspect there's a decent chunk of us who don't engage with discuss.
The inconsistent littering of links on python.org, honestly, feels like a security issue in this day and age.
malemburg
commented
4 months ago Hi @cjw296 , the PSFMembers site has been around at least since 2012, probably even longer. It hosts the CiviCRM system the PSF is using to manage PSF member- and sponsorships.
The public facing site looks a bit outdated and is not very intuitive, but this is where esp. the contributing and supporting members register themselves.
The admins did send out individual emails for the current vote (and last year) for affirming the vote status. This is a process which has to be done every year as per the bylaws.
Apart from the discuss section for the PSF, there's also the psf-members-ann mailing list: https://mail.python.org/mailman3/lists/psf-members-announce.python.org/ which receives such announcements (which was set up in 2013 for this purpose). The ML has not received an email for this year's affirmation (yet). I guess this is still pending.
ewdurbin
commented
4 months ago discussion here from @malemburg and @hugovk is correct.
asottile
commented
4 months ago fwiw I also landed here because it looks like a phishing site and because my password manager did not have credentials for it despite voting in the past
cjw296
commented
4 months ago Other things i've learned from the email sent out about registering to vote:
psf-donations@pyfound.org is a typo and doesn't go anywhere.
psf@psfmember.org does not accept email, why it's not sent from a no-reply@ address I have not idea.
In a world where Python is an extremely popular language and supply chain attacks are a thing, the cluster of evidently mismanaged related domains involved here, along with poorly checked emails and suspicious microsites is pretty disappointing :-/
I got an email purporting to be from psf@psfmember.org, but became suspicious when it appears that https://psfmember.org/ is implemented in PHP.
I have no record of interacting with this domain before, so has me concerned.
The HTTPS certificate is just a blank letsencrypt with no chain of trust evident.
I see discussion of the domain in this repo, but not by anyone you is marked by github as an admin or otherwise of the repo.
I tried to find a link to it from the main python.org site, but https://www.python.org/psf/membership-faq/ links to https://www.python.org/users/membership/.
I'm aware that we need to attest in order to be able to vote, but sending out something that smells like a phishing email that links to a domain with no apparent chain of trust is a little alarming, so want to try and find out what's going on...