Differences between revisions 17 and 18
Revision 17 as of 2019-04-30 20:37:38
Size: 4439
Comment: testers and feedback
Revision 18 as of 2019-05-02 14:07:45
Size: 5908
Comment: things to test, context
Deletions are marked like this. Additions are marked like this.
Line 11: Line 11:
 * We strongly recommend you verify your primary email address on your Test PyPI and PyPI accounts before setting up 2FA.
Line 12: Line 13:

== Changes we're making ==

To increase the security of PyPI downloads, we're beginning to introduce two-factor authentication (2FA) as a login security option.

Starting this Friday, May 3rd, you'll be able to use 2FA on [[http://test.pypi.org/|Test PyPI]]. And if you'd like to try 2FA on [[https://pypi.org|official PyPI]], please fill out [[https://docs.google.com/forms/d/e/1FAIpQLSfRmXhkfAL-LgLfcMdzTG7iIaSwPo-pyzkgv5DzvAU7Q-6XWQ/viewform|this Google form]] so we can invite you to the private beta, which we plan to hold 3-20 May.

PyPI currently supports a single 2FA method: generating a code through a Time-based One-time Password (TOTP) application. After you set up 2FA on your PyPI account, then you must provide a TOTP (along with your username and password) to log in. Therefore, to use 2FA on PyPI, you'll need to provision an application (usually a mobile phone app) in order to generate authentication codes; see below for suggestions and pointers.

This change only applies to the login step, not package uploads.
Line 16: Line 27:
=== Caution (before you test) ===

During this testing period, if things go awry, there's a chance we will need to wipe tokens from users' accounts, so if you choose to try it, please be forewarned. We suggest you make sure you have a PyPI-verified email address on your user account before trying the feature, to make potential account recovery smoother.

Reminder! Sign up for the [[https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/|PyPI Announcement Mailing List]] to be kept in the loop as we continue this process!
Line 17: Line 34:
 * Verify primary email address
Line 18: Line 36:
 * Add/Remove Maintainer
 * Add/Remove Owner
 * Transition Ownership
 * Upload package
 * Login/Logout
Line 22: Line 39:
 * Login/Logout
Line 24: Line 40:
 * Remove a project
 * Remove a release
Line 27: Line 41:
== Testers we need == === Testers we need ===
Line 41: Line 55:
== Setting up a TOTP application == === Setting up a TOTP application ===
Line 54: Line 68:
== Security == == Security bugs ==
Line 57: Line 71:
== PyCon == == Try it at PyCon ==
Line 61: Line 75:

== Notice ==

Reminder! Sign up for the [[https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/|PyPI Announcement Mailing List]] to be kept in the loop as we continue this process!

Help us test PyPI's 2-Factor Auth!

Warehouse is the code behind the Python Package Repository (PyPI) (source code on GitHub,roadmap). We are seeking maintainers of Projects on PyPI to test our new two-factor auth functionality and send us bug reports.

Feedback on user experience, accessibility, and overall ease of use are welcome; we want to support your workflows for account management and package maintainership. Go to the test site at https://test.pypi.org/ and try it out!

Guidelines for Particpation

  • By participating, you agree to abide by the PyPA Code of Conduct.

  • We strongly recommend you verify your primary email address on your Test PyPI and PyPI accounts before setting up 2FA.
  • You should sign up for the PyPI Announcement Mailing List for updates.

Changes we're making

To increase the security of PyPI downloads, we're beginning to introduce two-factor authentication (2FA) as a login security option.

Starting this Friday, May 3rd, you'll be able to use 2FA on Test PyPI. And if you'd like to try 2FA on official PyPI, please fill out this Google form so we can invite you to the private beta, which we plan to hold 3-20 May.

PyPI currently supports a single 2FA method: generating a code through a Time-based One-time Password (TOTP) application. After you set up 2FA on your PyPI account, then you must provide a TOTP (along with your username and password) to log in. Therefore, to use 2FA on PyPI, you'll need to provision an application (usually a mobile phone app) in order to generate authentication codes; see below for suggestions and pointers.

This change only applies to the login step, not package uploads.

Things to test

Most of these you can test on pypi.org once you opt into the private beta. For testing destructive actions, like removing an owner, deleting a project, or deleting a release, please use test.pypi.org.

Caution (before you test)

During this testing period, if things go awry, there's a chance we will need to wipe tokens from users' accounts, so if you choose to try it, please be forewarned. We suggest you make sure you have a PyPI-verified email address on your user account before trying the feature, to make potential account recovery smoother.

Reminder! Sign up for the PyPI Announcement Mailing List to be kept in the loop as we continue this process!

Workflows

  • Verify primary email address
  • Add/Remove 2FA token using TOTP
  • Upload package
  • Login/Logout
  • User Registration and Confirmation
  • Password Reset

Testers we need

In particular, please help us test this if any of these apply to you:

  • use Windows
  • usually visit PyPI on a mobile device
  • are an organization where users share an auth token within a group
  • have 4+ maintainers or owners for one project
  • use an unusual TOTP app
  • have a slow Internet connection
  • block cookies and JavaScript

  • maintain 20+ projects
  • created your PyPI account 6+ years ago

Setting up a TOTP application

Users who have chosen to set up two factor authentication (2FA) on their PyPI account must, once 2FA is set up, provide a second method of identity verification (other than their username and password) for each login.

PyPI currently supports a single 2FA method: Generating a code through a TOTP application.

When enabling two factor authentication (2FA) via TOTP in your account admin, you are asked to provision an application (usually a mobile phone app) in order to generate authentication codes. Popular applications include:

Security bugs

If you find any potential security vulnerabilities, please follow our published security policy. Please don't report security issues in Warehouse via GitHub, IRC, or mailing lists. Instead, please directly email one or more of our maintainers.

Try it at PyCon

Warehouse developers will be at the PyCon sprints May 6-9 to talk about problems you run into, or about how to hack on Warehouse.

Feel free to drop in!

Contact us

Security issues: email security @ python dot org

GitHub for all other bug reports & feature requests:https://github.com/pypa/warehouse/issues/new

IRC: #pypa-dev on Freenode (someone's usually there 10am-5pm Central Time on weekdays)

Email: pypa-dev mailing list

Thank you for testing Warehouse! You're helping us launch sooner and future users of PyPI will appreciate it. :)

WarehousePackageMaintainerTesting (last edited 2019-08-15 21:22:16 by SumanaHarihareswara)

Unable to view page? See the FrontPage for instructions.