New Lifter Improvement: Confirm Package Manager 2FA

Morning Lifters!

Today we’re adding a Two-Factor Authentication task today for all Lifters. (This follows the recent news that PyPi now supports 2FA!)

This task will have some quick instructions for setting up 2FA on your respective package managers. Even if you’ve setup 2FA already, you’ll still have to mark the task as complete from your lifter dashboard.

Not only will this help you sleep better at night, but in the future we will expose this to Subscribers to help assure them that their dependencies are under lock-and-key too. :closed_lock_with_key: :+1:

Thanks for being a part of Tidelift, and let us know if you have feedback on this task!

2 Likes

Instructions for npm state:

Enable Two-Factor Authentication for Authorization and Publishing

If you enable 2FA for publishing, you loose the ability to leverage automated release tooling, such as semantic-release (No affiliation).

They are actively discussing solutions, but the community has not come to a consensus on the appropriate approach to take.

What does Tidelift recommend in this particular situation? Do I leave the task un-completed if I do not have 2FA enabled for publishing?

Will verification be added at a later date to check that 2FA has been enabled on a package? (Instead of relying on self-reporting)

Another thought was the way Two-Factor Authentication is a per-package task. For my very few packages, it’s a minor inconvenience to mark the Two-Factor Authentication task completed across all my packages, even though the actual task is only completed once. However, I suspect it wouldn’t scale past a dozen or so packages, and I believe there are a few Lifters that would fall into that category.

Is there any concept of per-Lifter tasks?

Hutson - we don’t have that concept yet, but it definitely came up when we were thinking about this one. Ultimately, we decided to work with the data model we already had for this first iteration.

For all lifters, including those that lift a lot of packages, we can always mark the task completed for all packages on your behalf if you email lift@tidelift.com

1 Like

Am I answering the current 2FA task/question for just myself, or the package and hence cover status of all maintainers?

The wording of the Bonus link (for an npm package) led me to assume I was answering for just myself, but now I suspect that was wrong impression!

Bonus : you can also require 2FA for any maintainers of your package.

@hutson my understanding about automated verification is that it won’t be possible because package managers won’t expose information about this as an API—it could be considered a security vulnerability because you could determine who does not have 2FA enabled.

1 Like

Aa far as I can see 2FA is not supported at Maven Central https://oss.sonatype.org/content/repositories/snapshots/ and if they did it would break all automatic tooling. Maybe Tidelift needs a “not supported” option so we can close the task.

1 Like

Update: PyPI now supports a variety of 2FA options, as well as project-scoped API tokens and everything works :tada: (future work will make scoping more granular)

Similar to the NPM issue, PyPI currently forces you to choose between release automation and 2FA - there’s an open issue for API tokens which will be fantastic, but it hasn’t landed yet and I don’t have a good sense for how long it might take.

2 Likes

@shadowspawn I found that point confusing as well. My assumption is the task covers all maintainers with access to the package. The Bonus part throws that off a little, since, if the task was to enforce 2FA for all maintainers with access to the package, why not make the task about enabling that bonus option.

The bonus option also has the benefit that it will apply to maintainers added at a later date. For a few organizations I belong to, this would be an important consideration, as we add/remove maintainers on a regular basis.

Could the registry act as an OAuth provider and allow users to register an application with the registry so that the application can determine whether the user has properly configured 2FA?

(Idea is based on what you can currently do with GitHub - Python lifters: Enable two-factor authentication for PyPi)

1 Like

Hey everyone, thanks for the useful feedback on the 2FA task. We’ve rolled out some changes recently that should hopefully help:

  • We changed the wording to clarify that each lifter of a package needs to confirm 2FA
    • We’ll list out Lifter names who need to complete the task, to make this more clear.
  • If a package is on GitHub, we’ll auto-detect and require any GitHub-connected Lifters’s 2FA status
    • Additionally, if the package manager is entirely hosted on GitHub, we’ll use this to auto-verify the task so you don’t have to (e.g. cargo, go, cocoapods, etc).

3 Likes