Add SPEC 6: Keys to the Castle

[stefanv]

/cc @jarrodmillman

I think the gopass implementation is user friendly enough that we can use it as an example.

Do you have any other ideas for principles the system should adhere to?

[tupui]

Good idea 👍 I have some suggestions.

[betatim]

In general I think this is a good SPEC. For mybinder.org we have been doing essentially this using git-crypt and one shared secret. This has worked well.

One "big picture" thing I wanted to point out, despite not having a good solution, is that command line tools like gopass and git-crypt don't have the same UX comfort factor as something with a GUI. Especially for people who don't spend all day using the terminal. This means for people like that you need to spend more time helping them, increase the chances of them storing the passwords in an additional location that is easier to access, increase the chance of being turned off because the friction is too high, etc. So I wonder if there is a tool that has a nice GUI that can be recommended. Or if there are password vault services that offer a free tier that allows sharing. In the past Keybase had a "not terrible" UX but their funding situation changed a few years ago (I think got bought by Zoom), which is a bit of a turn off. I don't think Firefox's password vault supports sharing, but maybe there is something to explore there (with Mozilla)?

[tupui]

Good points 👍 AFAIK there are 2 viable options (OSS you can self-host) in terms of UI with sharing features (things like keepass are great for local use but not much for working with a team): Bitwarden and passbolt.

In both cases, the difficulty will be trust. Either you trust their system and use their tiers (possible for big projects as we have funds), or you self-host. But unless you have a security expert in the team, I would personally have reservations.

For some reason, we are not so much targeted by hackers yet. But once they realise we would be a great vector of attack, things would drastically change. So far it's just typo squatting and a bit of malware sharing on PyPi. But they could very easily target people with credentials to ship compromised binaries... And that's only the the easy quick thing someone could do. If you follow a bit the security and pen. test space, real life hacks are really crazy now (e.g. how they compromised LastPass.)

[MridulS]

+1 on having a more user friendly solution for sharing secrets, currently need to pass around the git-crypt one and it just doesn't seem right. It's possible to self host Bitwarden (either with the official one or vaultwarden) but even paying for Bitwarden turns out not to be super expensive (we can just use the "family" plan).

Also a +1 on 2FA hardware based security key as part of the SPEC. PyPI already "forced" people to have 2FA so I think we can elevate that requirement as a SPEC. I'm not sure if conda-forge feedstocks force people to have 2FA enabled on github or not but having a general guideline like this would be great!

[tupui]

We could probably get free accounts from Bitwarden if we pitch correctly the idea.

[stefanv]

The goal of the SPEC is to define principles, and any system that satisfies those principles is fine. We can give multiple examples.

We obviously need at least one free implementation (which I provided), and self-hosting is not typically an option for most projects. In fact, most projects don't even have funds to pay for bitwarden, and the account needs to be accessible by all team members.

[tupui]

We obviously need at least one free implementation (which I provided)

@stefanv Note that https://github.com/numpy/vault is not publicly available. I don't have access to see the repo.

[stefanv]

I will write to Bitwarden to find out about community pricing.

[stefanv]

We obviously need at least one free implementation (which I provided)

@stefanv Note that https://github.com/numpy/vault is not publicly available. I don't have access to see the repo.

New link: https://github.com/scientific-python/vault-template

[stefanv]

I will write to Bitwarden to find out about community pricing.

Bitwarden offers a 25% discount on our advertised pricing to registered non-profit organizations. If you sign up, you will start with a 7-day trial. At that time, let us know the name of your Organization, and we will apply the discount code to your account so that the discount will be applied to your first invoice.

So that goes from 3 USD per user per month to 2.25 per user per month, or 135 USD per year for a core team of 5.

[stefanv]

See https://github.com/dani-garcia/vaultwarden

[betatim]

The goal of the SPEC is to define principles, and any system that satisfies those principles is fine. We can give multiple examples.

What I was hoping for is to get the "When setting things up, consider the UX comfort for all the different types of people involved. You don't want to create the equivalent of super-secure-password-complexity-and-rotation-rules that lead to people writing the password on a post-it stuck to the monitor".

[ivirshup]

I was trying to figure out some PyPI security stuff where 1password's "free team for open source" was recommended. It looks like it's quite popular with some large projects like: numfocus, jupyter, Python Software Foundation Infrastructure Team, and Rust.

https://github.com/1Password/1password-teams-open-source

I think a big advantage here is access controls, which I'm not sure you can get for free with bitwarden.

[tupui]

oh thanks for sharing that! I even see Kali in the list. If that's not a good sign, I don't know what would be 😅

[tupui]

Actually I just heard that NumFOCUS provide team accounts for affiliated projects.

[jni]

The NumFOCUS folks just point you to that 1Password page 😅 but yes, we are using 1Password for Teams for Open Source for napari and it was a smooth process.

[tupui]

Oh really? I heard a different story from another project. That would be a bit underwhelming but ok still nice to have a central place saying what exists and is possible to do.

[ivirshup]

@jni, could you add all the core devs to the team? It's been a little unclear to me if the team accounts were capped at 10.

[jni]

Well, not all 14 core devs have asked for invites so we haven't tested that hypothesis yet 😂 , but nothing in the process suggested that limit. They explicitly add for the number of core contributors in the PR template, so I presume that's the limit they set? But probably can be expanded?

[stefanv]

This is a great option; thanks for finding it! I've added it to the SPEC.

[ivirshup]

1password's pricing page says the "teams" account is up to ten people, and after that it's called "business".

But not sure what this translates to for the open source projects.

[stefanv]

The document has been updated with the feedback above; thanks everyone!

[stefanv]

I've widened the scope of the SPEC slightly (adding that projects should document who has access to which resources), made the note on scoped tokens / rotation more prominent, and moved the pass-based solution down as a second option.

[pllim]

I didn't follow the entire convo so sorry if I missed it. Was https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ considered?

[stefanv]

I didn't follow the entire convo so sorry if I missed it. Was https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ considered?

We use trusted publishing, but that doesn't alter the fact that we sometimes need to store and share credentials.

[stefanv]

I didn't follow the entire convo so sorry if I missed it. Was https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/ considered?

We use trusted publishing, but that doesn't alter the fact that we sometimes need to store and share credentials.

@pllim I thought about your idea a bit more, and perhaps it's worth mentioning some of these commonly used mechanisms explicitly. I'll add a note to the PR.

[lagru]

Thanks for tackling this @stefanv. I really like the purpose and principles of this SPEC!

[lagru]

This could also list a bullet point on what makes a secure secret in case of conventional passwords (e.g passphrases, minimal password length, etc). I imagine using the recommended password managers here, makes it easy to use long ones that don't have to be remembered and can just be copy-pasted. Or maybe just point out this fact.

Might be to detailed for the scope of this document though...

[tupui]

Agreed on saying that password must be created only using generators from password managers.

[lagru]

Nitpick: Feels weird to me that "Principles" is in the section "Implementation". I'd make it its own level-## section after "Description" and before "Implementation".

[tupui]

I had another look 😃 I think if we want to move this forward it might be good to release. Then it will get more traction (e.g. as seen on SPEC4) and people will start to engage.

[tupui]

Slightly out of scope here.

"safeguard": it could read too vague. I think we need to provide some minimal recommendations like never have a ssh key without a passkey.

[stefanv]

Note passkeys are now an entirely new thing :)

[tupui]

This should is also true if using other options and I think should be moved in the general section.

[tupui]

Agreed on saying that password must be created only using generators from password managers.

[stefanv]

I've addressed the feedback by @lagru and @tupui—thank you both!

[jarrodmillman]

There is a minor section rearrangement needed, but I will do that in a follow-up PR. Let's just merge this and then revise it as needed.

[tupui]

Thanks @stefanv 👏 I think this is great and now if projects do follow these guidelines that would be a huge step up in terms of security.

[stefanv]

Great, and I'm happy to incorporate further suggestions. I found it quite helpful to aggregate these.