On 5/30/22 6:56 PM, Brett Cannon wrote:


On Fri, May 27, 2022 at 9:40 AM Skip Montanaro <skip.montan...@gmail.com <mailto:skip.montan...@gmail.com>> wrote:
    1. Would requiring 2FA for all PyPI accounts be reasonable?


Because both GitHub (https://github.blog/2022-05-04-software-security-starts-with-the-developer-securing-developer-accounts-with-2fa/ <https://github.blog/2022-05-04-software-security-starts-with-the-developer-securing-developer-accounts-with-2fa/>) and npm (https://github.blog/2022-05-04-software-security-starts-with-the-developer-securing-developer-accounts-with-2fa/ <https://github.blog/2022-05-04-software-security-starts-with-the-developer-securing-developer-accounts-with-2fa/>) will be requiring 2FA in the future, so we are not trailblazing here. The attackers are unfortunately too relentless and vast to leave PyPI alone. Add in the fact that Python packaging does not lock Python versions and require hash verification (at least for now; I'm still trying to get this rectified), this problem will persist.

Skip, you might also be interested in this Discourse discussion about the current state of requiring multifactor auth on PyPI: https://discuss.python.org/t/require-mfa-on-pypi/12077/28

--
Sumana Harihareswara
Changeset Consulting
https://changeset.nyc
_______________________________________________
Security-SIG mailing list -- security-sig@python.org
To unsubscribe send an email to security-sig-le...@python.org
https://mail.python.org/mailman3/lists/security-sig.python.org/
Member address: arch...@mail-archive.com

Reply via email to