PyPi Insists On 2FA For Critical Projects
Written by Kay Ewbank   
Tuesday, 26 July 2022

PyPi, the Python Package Index, which is the official repository of third-party open-source Python projects, has got tough with its requirements for critical projects. The plan is that two-factor authentication will now be mandatory for developers maintaining critical projects.

The move has been made to improve the general security of the Python ecosystem, and PyPI, along with the Google Open Source Security Team, a sponsor of the Python Software Foundation, has provided a limited number of security keys to distribute to critical project maintainers.

Eligible maintainers will be able to redeem a promo code for two free Titan Security Keys (either USB-C or USB-A), including free shipping.

pypy

The move comes three years after PyPi first offered two factor authentication as a login security option.

The definition of a 'critical project' is simply any project in the top one percent of downloads over the previous six months. As PyPi has over 350K projects, the number on the 'critical' list is over 3,500 projects.

Once a project has been designated as critical it retains that designation indefinitely. While the news has been welcomed by many, some developers have either complained or removed their projects from PyPi, pointing out that placing security requirements on free software that's maintained by a single developer represents a disincentive.

Armin Ronacher, the developer of Flask, a a lightweight web application framework, said on his blog that he hadn't set out to create a 'critical' package, and while requiring the enabling of 2FA is quite mild, it sets a precedent:

"The message to me as a maintainer is quite clear: once a project achieved criticality, then the index wants to exercise a certain amount of control. From the index' perspective it's within the bounds of its terms of service to put further restrictions on such a project."

Ronacher's point is that developers already put their own time and labor into developing projects, and the users of the packages ought to take some of the burden.

Developers of projects affected by the move have been informed by email. 

pypy

More Information

PyPI 2FA Security Key Giveaway

Related Articles

PyPy 5.0 Released

PyPy 4.0 Released

PyPy – a faster Python    

PyPy - Faster Python Now On ARM          

PyPy 2.5 Released

Python 3.5 Released

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


GitHub Releases Projects
04/08/2022

GitHub has announced the general availability of GitHub Projects powered by GitHub Issues. The developers say GitHub Projects connects your planning directly to the work your teams are doing in GitHub [ ... ]



Zoom Expands Developer Platform
11/07/2022

Zoom has announced an expansion of its developer platform with a new SDK. The Zoom Apps SDK is described as providing developers with the resources and support infrastructure needed to build Zoom Apps [ ... ]


More News

pythondata

 



 

Comments




or email your comment to: comments@i-programmer.info