Closed srittau closed 1 month ago
Ironically, I forgot to ping @Akuli, although it was #138 that prompted me to write this. Sorry!
@JelleZijlstra What can we do about that? In a related matter: I can't check, but do we require 2FA to be enabled for this org/repository? If not, we should definitely enable it.
but do we require 2FA to be enabled for this org/repository?
I am 90% sure I enabled it a while ago, I will double-check now.
What can we do about that?
Haven't thought too much about it, but it looks like stub packages are owned only by typeshed-bot (e.g., https://pypi.org/project/types-requests/). That's good because it means that if someone gains access to my PyPI account, they can't use it to upload a malicious stubs package. However, we should also review what kind of authentication typeshed-bot uses to upload packages.
I am 90% sure I enabled it a while ago, I will double-check now.
Actually it turns out "Require two-factor authentication for everyone in the typeshed-internal organization" was off. I just turned it on. (I also checked that all four members have 2FA enabled ;-))
what kind of authentication typeshed-bot uses to upload packages
It uses a PyPI token. FWIW we can rotate it from time to time. (There is even a GHA to test that PyPI token works.)
We should probably document the typeshed-bot user in this file as well. Commits to the PR or text suggestions in the comments welcome. Otherwise I will look into this tomorrow.
I got nothing to add. You covered everything I was already aware of 👍
I've added the maintainers section, this is ready for a full review now. As mentioned above, I'd like to punt @Akuli's suggestion to describe the attack to later when we've decided what to do in the future in #90.
Are there any more notes?
The maintainers section is still missing, but the remaining sections are up for scrutiny.
Cc @AlexWaygood @hauntsaninja @Avasam