Hi, Python packaging colleagues! As Ernest blogged last week, a team has kicked off work on improving Warehouse security, accessibility, and internationalization. See the blog post & links for more details and who’s working on what, but our first milestone is:
- Support for two-factor authentication via TOTP and U2F/FIDO.
- Application-specific tokens scoped to individual users/projects (this will also cover adding token-based login support to twine and setuptools)
- Advanced audit trail of user actions beyond the current journal (allowing publishers to track all actions taken by third party services on their behalf).
As project manager, I’ll be sending progress reports about twice a month, and posting meeting notes on the wiki.
Engineer William Woodruff of Trail of Bits is working on TOTP support. UX designer and developer Nicole Harris is reviewing that work, working on relevant help text, and developing the user experience that multi-factor auth and our other objectives will require.
And today a few of us discussed several open issues. If you’d like to help out, we’d love volunteer help with:
- #4470: Connect Warehouse’s frontend to the the Have I Been Pwned API to prevent reuse of breached passwords
- #3417: give users a form to configure a redirect from files.pythonhosted.org/<project.name> to some new URL – Ernest lays out how to do this in an issue comment
- #5584: Validate whether uploaded packages ending in tar.gz are actually tarballs
Want to help? Check out our Warehouse’s developer environment setup docs and tell us if you have trouble getting started!
And please tell me if you’re planning to join us at sprints at PyCon North America, May 6th-9th, so we can plan tasks.
More next month, including some schedule estimates.
Thanks to the Open Technology Fund for funding this work!
Sumana Harihareswara, Warehouse project manager