Hi, Python packaging colleagues!
We continue to work towards our first goal: support for two-factor authentication on PyPI via TOTP and U2F/FIDO. William and Nicole are continuing their development and design work as I mentioned in the last update, with additional work by Mark Mossberg at Trail of Bits, plus Ernest, Dustin, and Donald advising and reviewing.
We are working out our rollout plans for multifactor auth, and so we don’t yet have an estimate for when we’ll deliver that and when we’ll start the API keys or audit trail work. But the existing work-in-progress PR for MFA is ready for you to try out and play with now, and we’ll have more for you to try out next month at the PyCon sprints.
Want to help?
-
Advise us on what our policy should be on requiring recovery codes
-
Suggest groups of users who might be edge cases in our testing/rollout plan issue
Thank you @gpshead for your PR to validate whether uploaded packages ending in tar.gz are actually tarballs!
And please speak up in this topic if you’re planning to come to sprints at PyCon North America, May 6th-9th, so we can plan tasks.
We’ll send another progress report around mid-month. That’s also when PSF aims to announce another Request For Information for Warehouse security improvements: “highly requested security features in PyPI such as cryptographic signing and verification of files uploaded and installed from the index” (possibly using TUF).
Thanks to the Open Technology Fund for funding this work!
Sumana Harihareswara, Warehouse project manager