Add documentation of security implications

[srittau]

The maintainers section is still missing, but the remaining sections are up for scrutiny.

Cc @AlexWaygood @hauntsaninja @Avasam

[srittau]

Ironically, I forgot to ping @Akuli, although it was #138 that prompted me to write this. Sorry!

@JelleZijlstra What can we do about that? In a related matter: I can't check, but do we require 2FA to be enabled for this org/repository? If not, we should definitely enable it.

[ilevkivskyi]

but do we require 2FA to be enabled for this org/repository?

I am 90% sure I enabled it a while ago, I will double-check now.

[JelleZijlstra]

What can we do about that?

Haven't thought too much about it, but it looks like stub packages are owned only by typeshed-bot (e.g., https://pypi.org/project/types-requests/). That's good because it means that if someone gains access to my PyPI account, they can't use it to upload a malicious stubs package. However, we should also review what kind of authentication typeshed-bot uses to upload packages.

[ilevkivskyi]

I am 90% sure I enabled it a while ago, I will double-check now.

Actually it turns out "Require two-factor authentication for everyone in the typeshed-internal organization" was off. I just turned it on. (I also checked that all four members have 2FA enabled ;-))

[ilevkivskyi]

what kind of authentication typeshed-bot uses to upload packages

It uses a PyPI token. FWIW we can rotate it from time to time. (There is even a GHA to test that PyPI token works.)

[srittau]

We should probably document the typeshed-bot user in this file as well. Commits to the PR or text suggestions in the comments welcome. Otherwise I will look into this tomorrow.

[Avasam]

I got nothing to add. You covered everything I was already aware of 👍

[srittau]

I've added the maintainers section, this is ready for a full review now. As mentioned above, I'd like to punt @Akuli's suggestion to describe the attack to later when we've decided what to do in the future in #90.

[srittau]

Are there any more notes?