Pandas Require 2FA on github - Aurora Blog|java/go/python

Pandas is a "critical" project on pypi: people who can upload wheels to pypi need 2FA enabled on their pypi account. The python project is considering requiring 2FA for all their github members: https://discuss.python.org/t/new-python-organization-repository-policy/17376

How about requiring pandas members to also have 2FA setup for github?

xref #44886 https://pypi.org/security-key-giveaway/

Comment From: mroeschke

I would be +1. I do understand the "requiring volunteers to incur more responsibility" argument though.

Looks like it could be enforced within the pandas-dev organization level https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization

Might be a detail to be included in the governance docs if agreed upon. #47694

Comment From: fangchenli

@pandas-dev/pandas-core One of the tasks of the GitHub Secure Open Source Fund is to "activate MFA for all maintainers and major contributors." To meet this requirement, we should require 2FA at org level.

Comment From: rhshadrach

I plan to add this requirement in 3 days time if there are no objections.

Comment From: jorisvandenbossche

FWIW, as far as I can see, all the current core team members (both for pandas as pandas-stubs), i.e. all people that have write access, already have 2FA enabled (or have it enabled now after the message here), and so requiring it at the org level should not directly impact anyone (not that it should otherwise prevent us doing it, but at least we don't have to reach out to someone to ensure they don't loose access).

I assume that if we enable it, this also is the case for the triage team and any member not part of a team? (although those don't have write access)