+1, noone using Github can reasonably object to that.

We discussed this in #wikimedia-releng and realised that we'll need to sort out the bots, wmfgerrit and wmfphab. wmfgerrit uses SSH for actual automated actions so should be simple (someone with the password or access to the email behind it needs to go in and add MFA), wmfphab apparently uses HTTPS pushing so will need to switch to an access token I think.

In T198810#4398207, @Krenair wrote:

wmfphab apparently uses HTTPS pushing so will need to switch to an access token I think.

I agree that it should, but I'm not sure it blocks requiring of 2FA. I thought the 2FA applies only to log-in with the GitHub web UI? (And by extent, all actions that cannot be done over Git or API).

FWIW, +1 from me.

It'd be kind of nice if people who are members solely so all commits in wmf repos appear in their contribs graph without having to star every repo, didn't have to have 2fa (and had no rights). But I guess that's not an option.

In T198810#4400287, @Bawolff wrote:

It'd be kind of nice if people who are members solely so all commits in wmf repos appear in their contribs graph without having to star every repo, didn't have to have 2fa (and had no rights). But I guess that's not an option.

Why is this the case?

Supportive of this, we'll be looking into the wmfgerrit/wmfphab accounts soon.

In T198810#4400355, @Reedy wrote:

In T198810#4400287, @Bawolff wrote:

It'd be kind of nice if people who are members solely so all commits in wmf repos appear in their contribs graph without having to star every repo, didn't have to have 2fa (and had no rights). But I guess that's not an option.

Why is this the case?

I recall someone mentioning there's some obscure github restriction that means you have to have some association with a repository before the repository can claim you contributed to it. Being a member of the organisation is probably one of the options.

As far as I'm concerned, the thing that matters is the ability to write to/administrate a repository. If someone can't do that they don't need MFA.

Will this also affect "outside collaborators"? If not, perhaps we could shift all non-2FA people over to that status for now? Ignore me, it says it does. Oh well.

According to the screenshot at the top of this task yes. ninja'd

I see there are three listed blockers for this task. Two are visible to me and are resolved. If the third one is as well, maybe we could move forward and make this mandatory? Thanks.

In T198810#4888563, @MarcoAurelio wrote:

I see there are three listed blockers for this task. Two are visible to me and are resolved. If the third one is as well, maybe we could move forward and make this mandatory? Thanks.

It is a task tracking people without 2fa enabled and thus who would lose access if we enabled this feature (enforcement). It's not resolved :/

At what point do we want to just turn this on and force people out :)

In T198810#4941132, @Reedy wrote:

At what point do we want to just turn this on and force people out :)

right.... we probably just JFDI at some point.. but I guess not *really* JFDI, we should let people know as best we can with warning.

So, that sounds like an email (from me, I suppose) to wikitech-l@, ops@, and engineering@ (my goto set of lists) laying out what will happen and when. Say, one month notice (with a reminder the week before)?

tl;dr: If you don't enable 2FA on your github account and you are a member of the "wikimedia" organization you will be kicked out on $DATE.

In T198810#4944545, @greg wrote:

So, that sounds like an email (from me, I suppose) to wikitech-l@, ops@, and engineering@ (my goto set of lists) laying out what will happen and when. Say, one month notice (with a reminder the week before)?
tl;dr: If you don't enable 2FA on your github account and you are a member of the "wikimedia" organization you will be kicked out on $DATE.

I think this seems reasonable. Obviously worth mentioning we can/will re-add people later once they enable 2FA if they require

What about a personal email to the affected users instead to the whole lists? This is not very relevant for the majority of our subscribers :)

In T198810#4945009, @MarcoAurelio wrote:

What about a personal email to the affected users instead to the whole lists? This is not very relevant for the majority of our subscribers :)

If there were an easy way to do that in github I would (any pointers anyone?). There's currently 28 people who would be effected. I can identify about 14 of them myself. And at least one bot who I'm not sure who manages.

There's some slightly scary tools like https://github.com/paulirish/github-email

Well, not too scary. I ripped out the guts of that bash script that I needed and did a run for all of the github user names that are in the wikimedia org without 2FA enabled and now have a list of emails.

Email sent. Deadline of March 11th.

Well, that script didn't work very well. A bunch of false positives (somehow caught people who do have 2fa enabled).

In T198810#4945626, @greg wrote:

Email sent. Deadline of March 11th.

For the record for any curious reader: This deadline might no longer be valid due to my bad list of email addresses. I will follow-up when I can....

Mentioned in SAL (#wikimedia-releng) [2019-03-27T22:27:26Z] <James_F> Altered Wikimedia GitHub settings to require 2FA; see T198810