🐍 Securing PyPI accounts via Two-Factor Authentication
"Today, as part of that long term effort to secure the Python ecosystem, we are announcing that every account that maintains any project or organization on PyPI will be required to enable 2FA on their account by the end of 2023."
#pypi is doing the right thing and requiring 2 factor for all package uploading. It should be much harder to take over abandoned packages by using leaked passwords. I guess I also need to learn how to do the 2nd factor, or maybe just switch my publishing to github actions
"The privacy of PyPI users is of utmost concern to PSF and the PyPI Administrators, and we are committed to protecting user data from disclosure whenever possible. In this case, however, PSF determined with the advice of counsel that our only course of action was to provide the requested data. I, as Director of Infrastructure of the Python Software Foundation, fulfilled the requests in consultation with PSF's counsel"
Perhaps the #PyPI people are the only ones willing to pull the handbrake, unlike other lang registries that worry about optics first.
"PyPI, the official third-party registry of open source Python packages has temporarily suspended new users from signing up, and new projects from being uploaded to the platform until further notice.
The unexpected move comes amid the registry's struggle to upkeep with a large influx of malicious users and packages"
In dem Blogpost hat sich @yossarian die Signaturen von PyPI-Paketen angeschaut.
Ergebnis: schlimmer als nutzlos
Schlüssel nicht erhältlich, Signatur längst abgelaufen etc. Wenn ihr euch mal gruseln wollt, lest den Beitrag. #PGP#PyPI#Python
"PyPI new user and new project registrations temporarily suspended" due to high levels of malicious package uploads.
Absolutely the right decision by the PyPI administrators, take all the time you need 🤗 https://status.python.org/incidents/qy2t9mjjcc7g
Programujecie w Pythonie? Podczas marcowej edycji PyStoku można było obejrzeć prelekcję o popularnych ostatnio atakach na pakiety w PyPI - na co konkretnie polują przestępcy i jak się przed nimi chronić
Both the new Flask and Werkzeug releases use PyPI's new OIDC trusted publisher integration with GitHub https://docs.pypi.org/trusted-publishers/ Really easy to set up and use, no more managing tokens manually. #Python#PyPI
I've added the new #PyPI feature "Trusted Publishers" to the secure #Python package template repository, you can now publish packages without credentials in #GitHub Actions! 📦
Dustin Ingram (Google Open Source Security Team member, PSF director, Python Package Index maintainer) is giving the talk "Software Security and Slippery Slopes" at PyCon US 2023 🇺🇲🐍
Exciting news from #PyPI, just in time for @PyConUS:
"Starting today, PyPI package maintainers can adopt a new, more secure publishing method that does not require long-lived passwords or API tokens to be shared with external systems."
I've been part of the private beta and it works really well!