The biggest Python topics of 2023 ›

PyPI Security and 2FA Implementation

The intersection of PyPI, security, and trusted package management is highlighted in this collection of documents, showcasing recent developments such as the enforcement of 2FA for PyPI accounts, the hiring of security professionals at PSF, and initiatives like pypi-diff for tracking package history. Discussions around securing PyPI accounts, two-factor authentication requirements, and the importance of safety and security measures in the Python Package Index ecosystem are prevalent themes throughout these documents.

PyPI Has Completed Its First Security Audit Article

PSF Receives “Wonderfully Welcoming Award” From GitHub! Article

Security Developer-in-Residence Year End Report Article

A summary of the activities of the PSF’s Security Developer-in-Residence over 2023.

Nominations for 2023 Malcolm Tredinnick Memorial Prize Article

Querying Every File in Every Release on PyPI Article

Lots of information can be found by delving into the Python Package Index and examining the libraries hosted there. This article shows you what is involved in querying all that data.

Security Developer-in-Residence 2023 Q3 Report Article

This report is by the new Security Developer-in-Residence Seth Larson and summarizes all the work he has been involved with in Q3 of 2023. It talks about Python being authorized as a CVE Numbering Authority, the CPython vulnerability database, OpenSSF Day, and more.

Welcoming the Supporting Developer in Residence Article

FastAPI 0.95.2 Security Fix Released Article

PyPI Temporarily Suspended New Registrations Article

Due to a large volume of traffic from malicious users, PyPI temporarily suspended new account and project registrations on May 20th. The suspension was lifted 30 hours later on May 21st.

Python Software Foundation Board Election Dates for 2023 Article

Welcoming PyPI’s Safety & Security Engineer Mike Fiedler Article

You may remember a recent Python Package Index (PyPI) announcement about hiring a full-time security engineer. We’ve also mentioned several current security initiatives from PyPI. This week on the show, we talk with Mike Fiedler about accepting this new role and securing accounts on PyPI.

Python Security Response Team Handles an Advisory Article

Seth Larson is the Python Security Developer-in-Residence and he recently participated in his first publication of an advisory from end-to-end. This blog post talks about the process involved and how it gives him thoughts on what to improve.

PyPI Introduces “Trusted Publishers” Article

PyPI package maintainers can adopt a new, more secure “OIDC authenticated” publishing method that does not require long-lived passwords or API tokens to be shared with external systems.

Is Anyone Using PyPy for Real Work? Article

CircleCI Security Incident: Rotate Your Keys Article

CircleCI says hackers stole encryption keys and customers’ secrets.

Securing PyPI Accounts via Two-Factor Authentication Article

PyPI has already added two-factor authentication for high volume projects, but now they’ve announced that all package maintainers must upgrade to 2FA by the end of 2023. This post talks about why the decision was made and what your 2FA options are.

PSF Authorized as a CVE Numbering Authority Article

The Common Vulnerabilities and Exposures program identifies, catalogs, and discloses cybersecurity vulnerabilities. The Python Software Foundation has recently been added as a numbering authority, improving Python’s ability to disclose and respond to security issues.

Analysing and Parsing the Contents of PyPI Article

High-level statistics gathered from PyPI, including how popular language features are, project sizes (tensorflow accounts for 16% of the data on PyPI!) and growth.

PSF Is Hiring a Security Developer-in-Residence Article

Latest Attack on PyPI Users, Crooks Are Getting Better Article

Over 400 new malicious packages have been uploaded to PyPI that use a malicious JavaScript extension to monitor infected machines for crypto-currency interactions with the intent of stealing credentials. Packages are named based on typos of many of the most popular PyPI downloads.

Attack on PyPI Attempting to Deliver Rust Executable Article

PyPI: 2FA Enforcement for New User Registrations Article

PSF Announces New Security Developer in Residence Article

I Am the First PSF Security Developer-in-Residence Article

Seth was recently hired as the first Security Developer-In-Residence at the PSF. His blog post talks about what his responsibilities are and how he defines success for the position.

PSF Announces New PyPI Safety & Security Engineer Article

2022 PSF Annual Report Article

The annual report from the Python Software Foundation details all the changes and events at the PSF last year.

PSF Board Election Results Article

GitHub Now Scans Public Issues for PyPI Secrets Article

This PyPI blog post talks about the integration between them and GitHub to help ensure accidental exposure of PyPI secrets is quickly dealt with.

PSF Announces Fellow Members for Q1 2023 Article

PSF Hiring a Deputy CPython Developer in Residence Article

Enforcement of 2FA for PyPI Began June 1st Article

For those accounts that have two-factor authentication turned on for PyPI uploads, the use of 2FA is now required. Users with 2FA who were only using their password in the past will now have to perform 2FA as well. This is all part of the transition of PyPI to 2FA across the board.

Security Developer-in-Residence: Weekly Report #2 Article

The new Security Developer-in-Residence at the Python Software Foundation writes about the Software Bill of Materials and how it can programmatically tell you exactly what is in a distribution, including compiled libraries.

Trusted Publishing: Publishing to PyPI With Github Actions Article

PyPI recently introduced a method to publish using GitHub Actions without the need for usernames and passwords. This post shows you Philip’s set-up for his own projects using this new feature.

2023 PSF Board Election Is Open; Vote Before June 30th Article

Python Software Foundation Board of Directors Nominations Article

leaky_ledger: A Fake Bank to Practice Finding Vulnerabilities Project Started in 2023

pypi-diff: PyPI Package History Tracking Project Started in 2023

pypi package history tracking