[Qgis-psc] Fwd: Users in your organization will soon be required to enable 2FA

Luigi Pirelli luipir at gmail.com
Wed Aug 16 06:13:39 PDT 2023 

right... any github user sould have received this notification.

Luigi Pirelli

**************************************************************************************************
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
* Book: Mastering QGIS3 - 3rd Edition
<https://www.packtpub.com/eu/application-development/mastering-geospatial-development-qgis-3x-third-edition>
* Hire a team: http://www.qcooperative.net
**************************************************************************************************


On Wed, 16 Aug 2023 at 13:53, Richard Duivenvoorde via QGIS-PSC <
qgis-psc at lists.osgeo.org> wrote:

> Hi,
>
> FYI
>
> We (Github admin's) received the mail below.
>
> If I understand correctly, because QGIS org/project has a certain weight,
> users committing to repos of qgis.org have to enable 2FA, or loose access
> to the qgis repos
>
> I see a lot of people who have not enabled 2FA yet (myself I just did it
> 10 seconds ago).
>
> I'm pretty sure they will get a personal notice from github too, but
> thought to let you all know of this mail.
>
> Regards,
>
> Richard Duivenvoorde
>
>
>
>
> -------- Forwarded Message --------
> Subject:        Users in your organization will soon be required to enable
> 2FA
> Date:   Mon, 14 Aug 2023 11:38:26 -0700
> From:   GitHub <noreply at github.com>
> To:     Richard Duivenvoorde <richard at duif.net>
>
>
>
> GitHub
>
>
>      Some users in your organization will soon be required to enable 2FA
>
> Hey rduivenvoorde!
>
> You are receiving this notification because you are the admin of the
> "qgis" organization. In your organization there are 51 users that meet the
> updated criteria for the two-factor authentication requirement program. Of
> these 51 users, 24 already have 2FA enabled, and will not be allowed to
> disable it. The rest will be required to enable it over a 45-day period.
> Read on to learn what that means for your users, and how to prepare.
>
> *This enrollment is not related to your organization account or its
> settings.* It is based on the individual actions and privileges of your
> organization's users on GitHub.com, both within your organization and
> outside of it.
>
>
>      What is GitHub's required 2FA program?
>
> GitHub is expanding the 2FA program announced last year <
> https://github.blog/2022-05-04-software-security-starts-with-the-developer-securing-developer-accounts-with-2fa/>.
> When we launched this program in March <
> https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13>,
> we only included users who had published an app, Action, or Package.
> Starting today, we'll ask users who have published a release of a
> repository or manage critical repositories to also enable 2FA.
>
>
>      When do these users have to enable 2FA?
>
> Users will be contacted over the next month, recieving emails and
> notification banners on GitHub.com. They have 45 days, starting from the
> day they are notified, to enable 2FA. The first third of users will be
> contacted today.
>
> To learn more about the enrollment process, see our March blog post <
> https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13/#reminder-what-to-expect-if-you-are-required-to-enable-2fa>
> about the timeline.
>
>
>      Why do these users have to enable 2FA?
>
> These users have taken an action on GitHub.com which now requires 2FA.
>
> Users in this enrollment group have created a release <
> https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases>
> or manage a critical OpenSSF repository <
> https://github.com/ossf/wg-securing-critical-projects>. That means, the
> 51 users in your organization being added to the program have created a
> release at least once in the past, or are administrators of an OpenSSF
> repository. This release may have been from one of your Organizations, in
> another Organization, or in their own personal repositories.
>
> In addition to the new enrollment group, we have enabled daily updates to
> the previous enrollment group, which included all accounts that have
> published an app, Action or Package. If a user publishes an app, Action, or
> Package for the first time, they will be enrolled in the 2FA program the
> next day, starting the 45-day enrollment process detailed in our March blog
> post <
> https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13/#reminder-what-to-expect-if-you-are-required-to-enable-2fa
> >.
>
>
>      Will any more of my members need to enable 2FA?
>
> More of your organization's members may take an action that puts them in
> this enrollment group or a previous one. At any time, you can review which
> users are required to enable 2FA by checking the People tab of your
> organization - it now shows users who are required to enable 2FA but have
> not yet done so. In the future, we'll continue to expand the set of users
> that require 2FA, and we'll reach out again when that occurs.
>
> You should validate if service accounts you manage are in this rollout, by
> reviewing their associated email inbox for notifications across the next
> month. For help on setting up 2FA for shared service accounts, see "Setting
> up 2FA for service accounts" <
> https://docs.github.com/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/managing-bots-and-service-accounts-with-two-factor-authentication
> >.
>
>
>      Isn't SAML protection sufficient?
>
> SAML protects your organization data, but it doesn't stop an attacker from
> accessing your users' personal accounts. These accounts can be contributors
> outside of your organization, and need to be protected as well.
>
> Making the software supply chain more secure is a team effort, and we
> couldn't do it without you. Your support of 2FA is an impactful step in
> keeping the world's software secure.
>
> Thanks,
> The GitHub Security Team
>
>
>
> GitHub, Inc. ・88 Colin P Kelly Jr Street ・San Francisco, CA 94107
>
> _______________________________________________
> QGIS-PSC mailing list
> QGIS-PSC at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/qgis-psc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20230816/6f57b4b6/attachment.htm>

More information about the QGIS-PSC mailing list