|PyPi Insists On 2FA For Critical Projects|
|Written by Kay Ewbank|
|Tuesday, 26 July 2022|
PyPi, the Python Package Index, which is the official repository of third-party open-source Python projects, has got tough with its requirements for critical projects. The plan is that two-factor authentication will now be mandatory for developers maintaining critical projects.
The move has been made to improve the general security of the Python ecosystem, and PyPI, along with the Google Open Source Security Team, a sponsor of the Python Software Foundation, has provided a limited number of security keys to distribute to critical project maintainers.
Eligible maintainers will be able to redeem a promo code for two free Titan Security Keys (either USB-C or USB-A), including free shipping.
The move comes three years after PyPi first offered two factor authentication as a login security option.
The definition of a 'critical project' is simply any project in the top one percent of downloads over the previous six months. As PyPi has over 350K projects, the number on the 'critical' list is over 3,500 projects.
Once a project has been designated as critical it retains that designation indefinitely. While the news has been welcomed by many, some developers have either complained or removed their projects from PyPi, pointing out that placing security requirements on free software that's maintained by a single developer represents a disincentive.
Armin Ronacher, the developer of Flask, a a lightweight web application framework, said on his blog that he hadn't set out to create a 'critical' package, and while requiring the enabling of 2FA is quite mild, it sets a precedent:
"The message to me as a maintainer is quite clear: once a project achieved criticality, then the index wants to exercise a certain amount of control. From the index' perspective it's within the bounds of its terms of service to put further restrictions on such a project."
Ronacher's point is that developers already put their own time and labor into developing projects, and the users of the packages ought to take some of the burden.
Developers of projects affected by the move have been informed by email.
or email your comment to: email@example.com