PyPi Insists On 2FA For Critical Projects
Written by Kay Ewbank   
Tuesday, 26 July 2022

PyPi, the Python Package Index, which is the official repository of third-party open-source Python projects, has got tough with its requirements for critical projects. The plan is that two-factor authentication will now be mandatory for developers maintaining critical projects.

The move has been made to improve the general security of the Python ecosystem, and PyPI, along with the Google Open Source Security Team, a sponsor of the Python Software Foundation, has provided a limited number of security keys to distribute to critical project maintainers.

Eligible maintainers will be able to redeem a promo code for two free Titan Security Keys (either USB-C or USB-A), including free shipping.

pypy

The move comes three years after PyPi first offered two factor authentication as a login security option.

The definition of a 'critical project' is simply any project in the top one percent of downloads over the previous six months. As PyPi has over 350K projects, the number on the 'critical' list is over 3,500 projects.

Once a project has been designated as critical it retains that designation indefinitely. While the news has been welcomed by many, some developers have either complained or removed their projects from PyPi, pointing out that placing security requirements on free software that's maintained by a single developer represents a disincentive.

Armin Ronacher, the developer of Flask, a a lightweight web application framework, said on his blog that he hadn't set out to create a 'critical' package, and while requiring the enabling of 2FA is quite mild, it sets a precedent:

"The message to me as a maintainer is quite clear: once a project achieved criticality, then the index wants to exercise a certain amount of control. From the index' perspective it's within the bounds of its terms of service to put further restrictions on such a project."

Ronacher's point is that developers already put their own time and labor into developing projects, and the users of the packages ought to take some of the burden.

Developers of projects affected by the move have been informed by email. 

pypy

More Information

PyPI 2FA Security Key Giveaway

Related Articles

PyPy 5.0 Released

PyPy 4.0 Released

PyPy – a faster Python    

PyPy - Faster Python Now On ARM          

PyPy 2.5 Released

Python 3.5 Released

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


Bill Gates Shares The Code That Launched Microsoft
06/04/2025

To celebrate Microsoft's 50th Anniversary, Bill Gates has shared the original Altair BASIC Source Code. However it's not been open-sourced in a GitHub repo - instead it's available as a 157-page  [ ... ]



Amazon Q Developer Adds Faster Agentic Coding
28/04/2025

Amazon has improved the CLI agent within the Amazon Q command line interface (CLI) to provide a faster more interactive coding experience. Amazon Q Developer can now use the information in its CLI env [ ... ]


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info