Improving the security of typing-extensions #393
Comments
|
Overall this all sounds great; thanks for writing it up!
FWIW, I'd be happy to help out with releases :-)
This is the only part I have a slight qualm about. I feel like PRs like #386 which only touch docs files probably don't really require review. But PRs like that are rare enough that I think it'll probably be okay; I don't have a strong objection here. |
|
I think all of these are good. Note that requiring PR reviews does not meaningfully improve security posture (to be robust to single adversarial maintainer, you'd need to at least a) enforce previous approvals are invalidated by new commits, b) contributions by external contributors will need double approval). I'm happy to both help out more with releases or also lose my release bit on PyPI, whatever we feel is best. |
|
Thanks both!
I agree reviews aren't terribly important for docs-only changes, but there's still a benefit in having someone else take a look.
I just enabled a setting that requires PRs and requires at least one review. GitHub also has a setting that requires review on the last pushed commit, which fixes your point b). It does not fix point a). We could fix that by requiring two (or more) reviews per PR, but I feel that is too inconvenient for development. (Any maintainer PR would need review from two other maintainers.) |
|
The changes look good, and I'm happy to get less access (or no special access), unless a backup maintainer is useful. |
|
FWIW, on PyPI, we now have three admins (owners) and (in addition) three maintainers. Owners can do everything that maintainers can do. I'm okay with this setup. Not sure what the GitHub setup is yet. |
|
You can see who has commit access at https://github.com/python/typing_extensions/settings/access (if you are a maintainer). There's a few people there that we should probably retire. |
(I think only repo admins can see that page; I'm a maintainer and it's a 404 for me) |
|
Status:
We should also add a |
typing-extensions is among the most widely used Python packages, and we should make sure we keep it secure.
I'd like to propose improvements in a few areas:
Better release process
The current release process involves the release manager (in practice, me) building an sdist and wheel on their laptop and uploading it to PyPI. This opens up a few possible issues: the release manager's laptop could be compromised; they could make a mistake in what files to upload; they could sneakily manipulate the contents of the files before they are uploaded.
We should instead use https://docs.pypi.org/trusted-publishers/ to publish directly from a GitHub Action to PyPI. This removes the release manager's machine from the loop and ensures the release matches what is in the repo. (Recall that the recent xz backdoor involved a tarball with contents different from the repo.)
Manage who has access
To reduce the risk of account compromise, we should limit access to the repo. I would like to propose:
Ensure code is reviewed
We should ensure all code in the repo is reviewed. I would like to propose:
Keep the repo simple
The less surface area, the less the chance of issues. We should commit to:
I am happy to implement all of these if other maintainers agree.
The text was updated successfully, but these errors were encountered: