Deprecation of bdist_egg uploads to PyPI
PEP 715, deprecating bdist_egg/.egg
uploads to PyPI has been
accepted.
We'll begin the process of implementing this today.
Please note that this does NOT remove any existing uploaded eggs from PyPI.
2023
Announcing the launch of PyPI Malware Reporting and Response project
We are pleased to announce that the PSF has received funding from the Center for Security and Emerging Technology (CSET) to develop and improve the infrastructure for malware reporting and response on PyPI. This project will be executed over the coming year.
Enforcement of 2FA for upload.pypi.org begins today
Beginning today, all uploads from user accounts with 2FA enabled will be required to use an API Token or Trusted Publisher configuration in place of their password.
Reducing Stored IP Data in PyPI
Hi there! I'm Mike, the newest member of the PyPI admin team. Nice to meet you!
TL;DR
We've been working on reducing the amount of IP address data we store, and we're making progress.
Securing PyPI accounts via Two-Factor Authentication
One of the key security promises that PyPI makes is that when you're downloading something, that only the people associated with that project are going to be able to upload, delete, or otherwise modify a project. That when you look at that project and see that it is owned by someone that you trust, that you can be assured that nobody else is making changes to that package on PyPI.
PyPI was subpoenaed
In March and April 2023, the Python Software Foundation (PSF) received three (3) subpoenas for PyPI user data. All three subpoenas were issued by the United States Department of Justice. The PSF was not provided with context on the legal circumstances surrounding these subpoenas. In total, user data related to five (5) PyPI usernames were requested.
Removing PGP from PyPI
If you are someone who is currently uploading signatures, your package uploads will
continue to succeed, but any PGP signatures will be silently ignored. If you are
someone who is currently downloading PGP signatures, existing signatures
SHOULD continue to be available 1, but no new signatures will be made available.
The related API fields such as has_sig have all been hardcoded to always be
False.
Announcing the PyPI Safety & Security Engineer role
We are pleased to announce Amazon Web Services (AWS) as the inaugural Security Sponsor for PyPI, investing $144,000 over one year to fund key enhancements to PyPI infrastructure and operations, including the creation of a new “PyPI Safety & Security Engineer” role.
Introducing PyPI Organizations
Today, we are rolling out the first step in our plan to build financial support and long-term sustainability of the Python Packaging Index (PyPI), while simultaneously giving our users one of our most requested features: organization accounts.
Introducing 'Trusted Publishers'
Starting today, PyPI package maintainers can adopt a new, more secure publishing method that does not require long-lived passwords or API tokens to be shared with external systems.