Security precautions #7
Comments
|
We don't publish to conda directly. It is done via merging a pull request on the conda-forge repo. |
|
Cheers, updated the list. |
KYM for each maintainer who has merge rights as well as those that have publishing rights. Note that those two sets are distinct. For example, our conda-forge package has a maintainer with publish rights (i.e., merge rights on the conda-forge feedstock) who does not have merge rights in the jlab repo. |
Note that there isn't proper 2FA for PyPI. There is some work in progress that they call 2FA, but it is more of a 1.5FA |
|
AFAIK the only remaining issue is recovery codes: pypi/warehouse#5800 |
|
I haven't tried publishing on PyPI since I added 2FA to my account. |
|
@jasongrout You're totally right. I had that in three spots and when I consolidated, I did not clarify. Updated now. |
|
@blink1073 I mean that 2 factors are not needed on upload, only to generate a token that is stored for use on upload (pypi/warehouse#5815). This means there is only one factor when uploading (something stored on your computer). |
Introduction
On the cusp of our 1.0 release, we should revisit our security procedures to make sure we are taking reasonable precautions to protect our users and ourselves.
I propose the following checklist as a model for how we handle these issues.
Risk factors
We recognize that our project is high profile and it could be a vector of attack in a few ways:
package.jsonfilesMitigation - how we handle these risks
1. Malicious code injection into JupyterLab source
2. Compromised dependencies in
package.jsonfiles3. Publishing compromised Python packages to PyPI/Conda
conda-forgepull requests4. Publishing compromised JS packages to NPM
The text was updated successfully, but these errors were encountered: