Observing the recent hijacking of several python projects, the Python Package Index (PyPI) is mandating two-factor authentication for the accounts of critical projects.
Certain projects with significant downloads in the past six months and others that are tagged as critical will soon be forced to secure, says PyPI. While it’s a good move, few developers are against it.
Extra Security For Critical Python Projects
Last year, we’ve seen popular npm packages like ‘ ua-parser-js ,’ ‘ coa ‘ and ‘ rc ‘ were modified with malware to compromise the dependent software, triggering the community to push for more security measures. Eventually, GitHub, the owner of npm mandated 2FA for accounts that maintain sensitive npm packages.
Following this suite now is the Python Package Index (PyPI) – the official repository of third-party open-source Python projects. As noted in a blog post , the platform admins decided to enable two-factor authentication for accounts that are maintaining critical Python projects.
We’ve begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them. To ensure that these maintainers can use strong 2FA methods, we’re also distributing 4000 hardware security keys! https://t.co/gcCNWSqBcU — Python Package Index (@pypi) July 8, 2022
