The biggest Python topics of 2023 ›

PyPI Security and 2FA Implementation

The intersection of PyPI, security, and trusted package management is highlighted in this collection of documents, showcasing recent developments such as the enforcement of 2FA for PyPI accounts, the hiring of security professionals at PSF, and initiatives like pypi-diff for tracking package history. Discussions around securing PyPI accounts, two-factor authentication requirements, and the importance of safety and security measures in the Python Package Index ecosystem are prevalent themes throughout these documents.

PyPI Has Completed Its First Security Audit Article

https://blog.pypi.org/posts/2023-11-14-1-pypi-completes-first-security-audit/

PSF Receives “Wonderfully Welcoming Award” From GitHub! Article

https://pyfound.blogspot.com/2023/11/psf-wonderfully-welcoming-award-github.html

Security Developer-in-Residence Year End Report Article

A summary of the activities of the PSF’s Security Developer-in-Residence over 2023.

https://sethmlarson.dev/security-developer-in-residence-weekly-report-20

Nominations for 2023 Malcolm Tredinnick Memorial Prize Article

https://www.djangoproject.com/weblog/2023/oct/18/nominations-for-2023-malcolm-tredinnick-memorial-p/

Querying Every File in Every Release on PyPI Article

Lots of information can be found by delving into the Python Package Index and examining the libraries hosted there. This article shows you what is involved in querying all that data.

https://sethmlarson.dev/security-developer-in-residence-weekly-report-18

Security Developer-in-Residence 2023 Q3 Report Article

This report is by the new Security Developer-in-Residence Seth Larson and summarizes all the work he has been involved with in Q3 of 2023. It talks about Python being authorized as a CVE Numbering Authority, the CPython vulnerability database, OpenSSF Day, and more.

https://pyfound.blogspot.com/2023/10/security-developer-in-residence-2023-q3-report.html

Welcoming the Supporting Developer in Residence Article

https://discuss.python.org/t/welcoming-the-supporting-developer-in-residence/39702

FastAPI 0.95.2 Security Fix Released Article

https://fastapi.tiangolo.com/release-notes/

PyPI Temporarily Suspended New Registrations Article

Due to a large volume of traffic from malicious users, PyPI temporarily suspended new account and project registrations on May 20th. The suspension was lifted 30 hours later on May 21st.

https://status.python.org/incidents/qy2t9mjjcc7g

Python Software Foundation Board Election Dates for 2023 Article

https://pyfound.blogspot.com/2023/05/psf-board-election-dates-for-2023.html

Welcoming PyPI’s Safety & Security Engineer Mike Fiedler Article

You may remember a recent Python Package Index (PyPI) announcement about hiring a full-time security engineer. We’ve also mentioned several current security initiatives from PyPI. This week on the show, we talk with Mike Fiedler about accepting this new role and securing accounts on PyPI.

https://realpython.com/podcasts/rpp/177/

Python Security Response Team Handles an Advisory Article

Seth Larson is the Python Security Developer-in-Residence and he recently participated in his first publication of an advisory from end-to-end. This blog post talks about the process involved and how it gives him thoughts on what to improve.

https://sethmlarson.dev/security-developer-in-residence-weekly-report-8

PyPI Introduces “Trusted Publishers” Article

PyPI package maintainers can adopt a new, more secure “OIDC authenticated” publishing method that does not require long-lived passwords or API tokens to be shared with external systems.

https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/

Is Anyone Using PyPy for Real Work? Article

https://news.ycombinator.com/item?id=36940871

CircleCI Security Incident: Rotate Your Keys Article

CircleCI says hackers stole encryption keys and customers’ secrets.

https://techcrunch.com/2023/01/14/circleci-hackers-stole-customer-source-code/

Securing PyPI Accounts via Two-Factor Authentication Article

PyPI has already added two-factor authentication for high volume projects, but now they’ve announced that all package maintainers must upgrade to 2FA by the end of 2023. This post talks about why the decision was made and what your 2FA options are.

https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/

PSF Authorized as a CVE Numbering Authority Article

The Common Vulnerabilities and Exposures program identifies, catalogs, and discloses cybersecurity vulnerabilities. The Python Software Foundation has recently been added as a numbering authority, improving Python’s ability to disclose and respond to security issues.

https://pyfound.blogspot.com/2023/08/psf-authorized-as-cna.html

Analysing and Parsing the Contents of PyPI Article

High-level statistics gathered from PyPI, including how popular language features are, project sizes (tensorflow accounts for 16% of the data on PyPI!) and growth.

https://py-code.org/stats

PSF Is Hiring a Security Developer-in-Residence Article

https://pyfound.blogspot.com/2023/01/the-psf-is-hiring-security-developer-in.html

Latest Attack on PyPI Users, Crooks Are Getting Better Article

Over 400 new malicious packages have been uploaded to PyPI that use a malicious JavaScript extension to monitor infected machines for crypto-currency interactions with the intent of stealing credentials. Packages are named based on typos of many of the most popular PyPI downloads.

https://arstechnica.com/information-technology/2023/02/451-malicious-packages-available-in-pypi-contained-crypto-stealing-malware/

Attack on PyPI Attempting to Deliver Rust Executable Article

https://blog.phylum.io/phylum-discovers-another-attack-on-pypi/

PyPI: 2FA Enforcement for New User Registrations Article

https://blog.pypi.org/posts/2023-08-08-2fa-enforcement-for-new-users/

PSF Announces New Security Developer in Residence Article

https://pyfound.blogspot.com/2023/06/announcing-our-new-security-developer.html

I Am the First PSF Security Developer-in-Residence Article

Seth was recently hired as the first Security Developer-In-Residence at the PSF. His blog post talks about what his responsibilities are and how he defines success for the position.

https://sethmlarson.dev/security-developer-in-residence

PSF Announces New PyPI Safety & Security Engineer Article

https://pyfound.blogspot.com/2023/08/announcing-our-new-pypi-safety-security.html

2022 PSF Annual Report Article

The annual report from the Python Software Foundation details all the changes and events at the PSF last year.

https://www.python.org/psf/annual-report/2022/

PSF Board Election Results Article

https://pyfound.blogspot.com/2023/06/announcing-2023-psf-board-election.html

GitHub Now Scans Public Issues for PyPI Secrets Article

This PyPI blog post talks about the integration between them and GitHub to help ensure accidental exposure of PyPI secrets is quickly dealt with.

https://blog.pypi.org/posts/2023-08-17-github-token-scanning-for-public-repos/

PSF Announces Fellow Members for Q1 2023 Article

https://pyfound.blogspot.com/2023/08/announcing-python-software-foundation.html

PSF Hiring a Deputy CPython Developer in Residence Article

https://pythonsoftwarefoundation.applytojob.com/apply/9jXnEu0MuJ/Deputy-CPython-Developer-In-Residence

Enforcement of 2FA for PyPI Began June 1st Article

For those accounts that have two-factor authentication turned on for PyPI uploads, the use of 2FA is now required. Users with 2FA who were only using their password in the past will now have to perform 2FA as well. This is all part of the transition of PyPI to 2FA across the board.

https://blog.pypi.org/posts/2023-06-01-2fa-enforcement-for-upload/