Observing the recent hijacking of several python projects, the Python Package Index (PyPI) is mandating two-factor authentication for the accounts of critical projects.
Certain projects with significant downloads in the past six months and others that are tagged as critical will soon be forced to secure, says PyPI. While it’s a good move, few developers are against it.
Extra Security For Critical Python Projects
Last year, we’ve seen popular npm packages like ‘ua-parser-js,’ ‘coa‘ and ‘rc‘ were modified with malware to compromise the dependent software, triggering the community to push for more security measures. Eventually, GitHub, the owner of npm mandated 2FA for accounts that maintain sensitive npm packages.
Following this suite now is the Python Package Index (PyPI) – the official repository of third-party open-source Python projects. As noted in a blog post, the platform admins decided to enable two-factor authentication for accounts that are maintaining critical Python projects.
We’ve begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them.
To ensure that these maintainers can use strong 2FA methods, we're also distributing 4000 hardware security keys!https://t.co/gcCNWSqBcU
— Python Package Index (@pypi) July 8, 2022
These will be differentiated as – the projects that account for the top 1% of downloads in the last six months, and any PyPI dependencies that have been designated as ‘critical’ – come under this statement.
Also, PyPI is offering free hardware security keys to critical project maintainers, with the support from its sponsor – Google Open Source Security Team. This comes after a popular PyPI project – ctx – was hijacked in a failed ‘ethical’ hacking experiment.
Identifying over 3,818 PyPI projects and 8,218 PyPI user accounts as critical, the team said this mandate will be rolling out in the coming months. Further;
“Ensuring that the most widely used projects have these protections against account takeover is one step towards our wider efforts to improve the general security of the Python ecosystem for all PyPI users.”
Despite this, over 28,000 PyPI user accounts that aren’t deemed critical have voluntarily enabled 2FA. Yet, some developers are pushing back against this move.