Thursday, May 30, 2019

Use two-factor auth to improve your PyPI account's security

To increase the security of Python package downloads, we're beginning to introduce two-factor authentication (2FA) as a login security option on the Python Package Index. This is thanks to a grant from the Open Technology Fund; coordinated by the Packaging Working Group of the Python Software Foundation.

Starting today, the canonical Python Package Index at and the test site at offer 2FA for all users. We encourage project maintainers and owners to log in and go to their Account Settings to add a second factor. This will help improve the security of their PyPI user accounts, and thus reduce the risk of vandals, spammers, and thieves gaining account access.

PyPI's maintainers tested this new feature throughout May and fixed several resulting bug reports; regardless, you might find a new issue. If you find any potential security vulnerabilities, please follow our published security policy. (Please don't report security issues in Warehouse via GitHub, IRC, or mailing lists. Instead, please directly email one or more of our maintainers.) If you find an issue that is not a security vulnerability, please report it via GitHub.

PyPI currently supports a single 2FA method: generating a code through a Time-based One-time Password (TOTP) application. After you set up 2FA on your PyPI account, then you must provide a TOTP (along with your username and password) to log in. Therefore, to use 2FA on PyPI, you'll need to provision an application (usually a mobile phone app) in order to generate authentication codes; see our FAQ for suggestions and pointers.

You'll need to verify your primary email address on your Test PyPI and/or PyPI accounts before setting up 2FA. You can also do that in your Account Settings.

Currently, only TOTP is supported as a 2FA method. Also, 2FA only affects login via the website which safeguards against malicious changes to project ownership, deletion of old releases, and account take overs. Package uploads will continue to work without 2FA codes being provided.

But we're not done! We're currently working on WebAuthn-based multi-factor authentication, which will let you use, for instance, Yubikeys for your second factor. Then we'll add API keys for package upload, then an advanced audit trail of sensitive user actions. More details are in our progress reports.

Thanks to the Open Technology Fund for funding this work. And please sign up for the PyPI Announcement Mailing List for future updates.

Wednesday, May 8, 2019

Farewell, Python 3.4

It's with a note of sadness that I announce the final retirement of Python 3.4.  The final release was back in March, but I didn't get around to actually closing and deleting the 3.4 branch until this morning.

Python 3.4 introduced many features we all enjoy in modern Python--the asyncio, ensurepip, and enum packages, just to name three.  It's a release I hope we all remember fondly.

My eternal thanks to all the members of the release team that worked on Python 3.4:
Georg Brandl
Julien Palard

Martin von Löwis

Ned Deily
Steve Dower
Terry Reedy

and all the engineers of the Python infrastructure team.

Special thanks to Benjamin Peterson and Ned Deily, who frequently scurried around behind the scenes cleaning up the messes I cluelessly left in my wake.

Having closed 3.4, I am now retired as Python 3.4 Release Manager.  I regret to inform all of you that you're still stuck with me as Python 3.5 Release Manager until sometime next year.