This is part two in a three-part series. See part one here, and part three here.
This post is a deeper dive into the remediation of the security audit findings for the Warehouse - the main codebase for PyPI.org.
The audit report can be found here. I highly recommend reading that for the fullest context first.
This is part one in a three-part series. See part two here, and part three here
We are proud to announce that PyPI has completed its first ever external security audit. This work was funded in partnership with the Open Technology Fund (OTF), a previous supporter of security-related improvements to PyPI.
The current PyPI security reporting procedure
directs reporters to send an email to security@pypi.org with details.
security@ was previously an email alias for admin@,
a Google Group that contains all current PyPI Administrators (4 people).
Back in 2019 we kicked off efforts to integrate with GitHub secret scanning. Due to the complexity in nature, the completed integration launched in 2021, with the volunteer-led effort by Joachim Jablon (@ewjoachim) and the GitHub team.
Starting today, newly registered users must enable 2FA before they can perform any management actions on PyPI. This change comes after we've also added a rule for accounts to have a verified, primary email address for the same set of management actions.
As a reminder, PyPI has supported adding 2FA since 2019.
👋 Hi there! I'm Mike Fiedler (@miketheman) I've been a Python Package Index (PyPI) contributor since early 2021, and became a maintainer in 2022. Now I'm joining the PSF to work on PyPI full-time as the first PyPI Safety & Security Engineer.
PEP 715, deprecating bdist_egg/.egg
uploads to PyPI has been
accepted.
We'll begin the process of implementing this today.
Please note that this does NOT remove any existing uploaded eggs from PyPI.
We are pleased to announce that the PSF has received funding from the Center for Security and Emerging Technology (CSET) to develop and improve the infrastructure for malware reporting and response on PyPI. This project will be executed over the coming year.
Beginning today, all uploads from user accounts with 2FA enabled will be required to use an API Token or Trusted Publisher configuration in place of their password.
Hi there! I'm Mike, the newest member of the PyPI admin team. Nice to meet you!
We've been working on reducing the amount of IP address data we store, and we're making progress.