One of the key security promises that PyPI makes is that when you're downloading something, that only the people associated with that project are going to be able to upload, delete, or otherwise modify a project. That when you look at that project and see that it is owned by someone that you trust, that you can be assured that nobody else is making changes to that package on PyPI.
In March and April 2023, the Python Software Foundation (PSF) received three (3) subpoenas for PyPI user data. All three subpoenas were issued by the United States Department of Justice. The PSF was not provided with context on the legal circumstances surrounding these subpoenas. In total, user data related to five (5) PyPI usernames were requested.
If you are someone who is currently uploading signatures, your package uploads will
continue to succeed, but any PGP signatures will be silently ignored. If you are
someone who is currently downloading PGP signatures, existing signatures
SHOULD continue to be available 1, but no new signatures will be made available.
The related API fields such as has_sig have all been hardcoded to always be
False.
We are pleased to announce Amazon Web Services (AWS) as the inaugural Security Sponsor for PyPI, investing $144,000 over one year to fund key enhancements to PyPI infrastructure and operations, including the creation of a new “PyPI Safety & Security Engineer” role.
Today, we are rolling out the first step in our plan to build financial support and long-term sustainability of the Python Packaging Index (PyPI), while simultaneously giving our users one of our most requested features: organization accounts.
Starting today, PyPI package maintainers can adopt a new, more secure publishing method that does not require long-lived passwords or API tokens to be shared with external systems.
Today, we're excited to launch blog.pypi.org, the official blog of the Python Package Index.
One of the most common refrains I hear from Python community members, irrespective of if they have been around for days or years, is "I didn't realize that PyPI...". Followed by something along the lines of: