Skip to content

The PyPI Blog

Securing PyPI accounts via Two-Factor Authentication

One of the key security promises that PyPI makes is that when you're downloading something, that only the people associated with that project are going to be able to upload, delete, or otherwise modify a project. That when you look at that project and see that it is owned by someone that you trust, that you can be assured that nobody else is making changes to that package on PyPI.

PyPI was subpoenaed

In March and April 2023, the Python Software Foundation (PSF) received three (3) subpoenas for PyPI user data. All three subpoenas were issued by the United States Department of Justice. The PSF was not provided with context on the legal circumstances surrounding these subpoenas. In total, user data related to five (5) PyPI usernames were requested.

Removing PGP from PyPI

If you are someone who is currently uploading signatures, your package uploads will continue to succeed, but any PGP signatures will be silently ignored. If you are someone who is currently downloading PGP signatures, existing signatures SHOULD continue to be available 1, but no new signatures will be made available. The related API fields such as has_sig have all been hardcoded to always be False.

Announcing the PyPI Safety & Security Engineer role

We are pleased to announce Amazon Web Services (AWS) as the inaugural Security Sponsor for PyPI, investing $144,000 over one year to fund key enhancements to PyPI infrastructure and operations, including the creation of a new “PyPI Safety & Security Engineer” role.

Introducing PyPI Organizations

Today, we are rolling out the first step in our plan to build financial support and long-term sustainability of the Python Packaging Index (PyPI), while simultaneously giving our users one of our most requested features: organization accounts.

Introducing 'Trusted Publishers'

Starting today, PyPI package maintainers can adopt a new, more secure publishing method that does not require long-lived passwords or API tokens to be shared with external systems.

Welcome to the PyPI Blog

Today, we're excited to launch blog.pypi.org, the official blog of the Python Package Index.

One of the most common refrains I hear from Python community members, irrespective of if they have been around for days or years, is "I didn't realize that PyPI...". Followed by something along the lines of: