Cf thread on the Jupyter Mailing list.

It would be a good idea to review:

• Who has commit rights & where
• If they have rights on sensible area try to push for them to enable 2FA.
• Investigate the possibility at making 2FA mandatory through GitHub options.

At the same time, we could likely see if we can clean-up who is in what team, and if developers are still active.

Once this is done, we can also review who has access to non-github resources at the same time:

• readthedocs,
• PyPI
• youtube...

And try to uniformise that; as well as investigate securing the releases processes.

We can see 2FA status from an organization level. You can also filter out those that do not have 2FA enabled. https://help.github.com/articles/ensuring-that-organization-members-have-enabled-two-factor-authentication/

Yes, thanks @willingc ! Though I'm not sure everyone can see this page, or at least it won't appear in the same way depending on your status of the organisation.

For the Jupyter organisation the following page list all members of the organisation:

https://github.com/orgs/jupyter/people 

I can see the 2FA status, but not if I'm not logged in. I suppose it is a security measure to avoid attacker to find vulnerable people. I think you can also "hide" your belonging to an organisation, in which case only Owners I think can see you.

Still I cannot easily distinguish people that are part of the organisation without commit rights, and those who have without drilling through teams/repositories.

Hope you're getting some rest post-japan !

From last week's GitHub announcements, you can enable 2FA for an organization and the warning box explains what happens to a member until they activate 2FA: https://help.github.com/articles/requiring-two-factor-authentication-in-your-organization/

I think this has been done, but just moving it for posterity to jupyter/security for that group to decide if this should be deemed closeable or not.