The Python Package Index (PyPI), the official repository for third-party open-source Python projects, announced plans to make two-factor authentication (2FA) mandatory for maintainers of "critical" projects. "In an effort to improve the overall security of the Python ecosystem, PyPI has begun implementing a two-factor authentication (2FA) requirement for key projects; this requirement will take effect in the coming months."
Any PyPI project that has been in the top 1% of downloads over the past 6 months is designated as a critical project. At the time of this announcement, there are over 350K projects on PyPI, so over 3500 projects are designated as "critical"; however, this data is refreshed daily. Additionally, the Google Open Source Security Team, a sponsor of the Python Software Foundation (PSF), will provide maintainers of critical projects with free hardware security keys.
This move is mainly influenced by the recent multiple hijacking incidents of software repositories in the npm and PyPI ecosystems. Last year, the heavily used npm libraries "ua-parser-js", "coa" and "rc" were tampered with by malware after their maintainer accounts were compromised. As a result, npm's parent company, GitHub, took steps to remove An enhanced login experience (2FA option) for developers began in December 2021, and further security updates were announced in May of this year. Now, PyPI is following GitHub's lead and implementing 2FA for maintainer accounts as well.
"Ensuring that the most widely used projects have these protections against account takeover is a step in our broader effort to improve the overall security of the Python ecosystem for all PyPI users," explained the PyPI administrators . They also shared a dashboard showing over 3,818 PyPI projects and 8,218 PyPI user accounts that they identified as "critical" and may be required to adopt 2FA.
The move was supported by many in the community, with over 28,000 PyPI user accounts (including those not associated with "critical" projects) voluntarily enabling 2FA. But there are also developers who disagree. Markus Unterwaditzer , the developer of a popular Python project " atomicwrites " , removed his code from PyPI and republished it in an attempt to keep the project out of the category of "critical" projects. Data shows that atomicwrites was downloaded more than 6 million times in a given month.
But Unterwaditzer's move caused some controversy. Some have compared the move to the left-pad incident in 2016 , which involved a developer pulling his critical JavaScript project from the npm registry , setting off a widespread chain reaction. But Unterwaditzer just republished a version of 'atomicwrites' to reset his project's download count (and PyPI-assigned "critical" project status), rather than permanently withdrawing his code; and left-pad involved in trademark disputes There are still some differences.
Unterwaditzer said in the project's issue list that he considers PyPI's mandatory 2FA to be a move aimed at guaranteeing SOC2 compliance for a handful of companies; but at the expense of his free time, which is very annoying.
" So I removed the package and released a new version, just to see if the warning went away. What I didn't think about was that this would remove the old version. Those versions are now apparently gone, but it's obviously impossible for me to re-upload them .I don't think pypi's behavior is sensible, but I'm sorry either way. Anyway, the API has been the same since the first version. "
" I've decided to deprecate this package. While I do regret removing this package and eventually enabling 2FA, I don't think the sudden change in PyPI's rules and the strange behavior of package removal is worth my time to maintain this popular Python for free Software. I'd rather just write code for fun and worry about supply chain security only when I'm actually getting paid. ”
Currently, with the help of @dstufft from PyPI, the old version of atomicwrites has been restored.