Deprecation of bdist_egg uploads to PyPI
PEP 715, deprecating bdist_egg
/.egg
uploads to PyPI has been
accepted.
We'll begin the process of implementing this today.
Please note that this does NOT remove any existing uploaded eggs from PyPI.
PEP 715, deprecating bdist_egg
/.egg
uploads to PyPI has been
accepted.
We'll begin the process of implementing this today.
Please note that this does NOT remove any existing uploaded eggs from PyPI.
We are pleased to announce that the PSF has received funding from the Center for Security and Emerging Technology (CSET) to develop and improve the infrastructure for malware reporting and response on PyPI. This project will be executed over the coming year.
Beginning today, all uploads from user accounts with 2FA enabled will be required to use an API Token or Trusted Publisher configuration in place of their password.
Hi there! I'm Mike, the newest member of the PyPI admin team. Nice to meet you!
We've been working on reducing the amount of IP address data we store, and we're making progress.
One of the key security promises that PyPI makes is that when you're downloading something, that only the people associated with that project are going to be able to upload, delete, or otherwise modify a project. That when you look at that project and see that it is owned by someone that you trust, that you can be assured that nobody else is making changes to that package on PyPI.
In March and April 2023, the Python Software Foundation (PSF) received three (3) subpoenas for PyPI user data. All three subpoenas were issued by the United States Department of Justice. The PSF was not provided with context on the legal circumstances surrounding these subpoenas. In total, user data related to five (5) PyPI usernames were requested.
If you are someone who is currently uploading signatures, your package uploads will
continue to succeed, but any PGP signatures will be silently ignored. If you are
someone who is currently downloading PGP signatures, existing signatures
SHOULD continue to be available 1, but no new signatures will be made available.
The related API fields such as has_sig
have all been hardcoded to always be
False
.
We are pleased to announce Amazon Web Services (AWS) as the inaugural Security Sponsor for PyPI, investing $144,000 over one year to fund key enhancements to PyPI infrastructure and operations, including the creation of a new “PyPI Safety & Security Engineer” role.
Today, we are rolling out the first step in our plan to build financial support and long-term sustainability of the Python Packaging Index (PyPI), while simultaneously giving our users one of our most requested features: organization accounts.
Starting today, PyPI package maintainers can adopt a new, more secure publishing method that does not require long-lived passwords or API tokens to be shared with external systems.