Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Programming Python

PyPI Is Rolling Out 2FA For Critical Projects, Giving Away 4,000 Security Keys (zdnet.com) 19

PyPI or the Python Package Index is giving away 4,000 Google Titan security keys as part of its move to mandatory two-factor authentication (2FA) for critical projects built in the Python programming language. ZDNet reports: PyPI, which is managed by the Python Software Foundation, is the main repository where Python developers can get third-party developed open-source packages for their projects. [...] One way developers can protect themselves from stolen credentials is by using two-factor authentication and the PSF is now making it mandatory for developers behind "critical projects" to use 2FA in coming months. PyPI hasn't declared a specific date for the requirement. "We've begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them," the PSF said on its PyPI Twitter account.

As part of the security drive, it is giving away 4,000 Google Titan hardware security keys to project maintainers gifted by Google's open source security team. "In order to improve the general security of the Python ecosystem, PyPI has begun implementing a two-factor authentication (2FA) requirement for critical projects. This requirement will go into effect in the coming months," PSF said in a statement. "To ensure that maintainers of critical projects have the ability to implement strong 2FA with security keys, the Google Open Source Security Team, a sponsor of the Python Software Foundation, has provided a limited number of security keys to distribute to critical project maintainers.

PSF says it deems any project in the top 1% of downloads over the prior six months as critical. Presently, there are more than 350,000 projects on PyPI, meaning that more than 3,500 projects are rated as critical. PyPI calculates this on a daily basis so the Titan giveaway should go a long way to cover a chunk of key maintainers but not all of them. In the name of transparency, PyPI is also publishing 2FA account metrics here. There are currently 28,336 users with 2FA enabled, with nearly 27,000 of them using a 2FA app like Microsoft Authenticator. There are over 3,800 projects rated as "critical" and 8,241 PyPI users in this group. The critical group is also likely to grow since projects that have been designated as critical remain so indefinitely while new projects are added to mandatory 2FA over time. The 2FA rule applies to both project maintainers and owners.

This discussion has been archived. No new comments can be posted.

PyPI Is Rolling Out 2FA For Critical Projects, Giving Away 4,000 Security Keys

Comments Filter:
  • Who the hell came up with such a name?
    • What a stupid name for the Python Package Index?

      What would you call it?

      • by Junta ( 36770 )

        Cheese Shop, obviously.

        • by AmiMoJo ( 196126 )

          Naming things is now the hardest problem in software engineering.

          I am building a little static site generator for notes, inspired by minimalist Japanese websites. Every name I could think of has been used five times over already. I was getting desperately close to just calling it HorseBatteryStaple but settled on something generic. Fuck it, I'm probably the only one who will ever use it.

      • PopPI
        or 'Package McPI face'

    • by gweihir ( 88907 )

      Remember who the language is named for...

  • by nuckfuts ( 690967 ) on Monday July 11, 2022 @05:37PM (#62694596)
    I've become so jaded regarding the collection of data by Google (or whatever they're branding themselves as these days) that I inherently mistrust anything they have a hand in. Although I haven't tried Google Titan firsthand, I'm going to assume that the first thing it requires is some sort of account provided (directly or indirectly) by Google. However, even without any such account, I expect Google will be able to glean a lot of information about what your device is logging in to, at what times, from where, etc., and will tie this together with all the other information they harvest about you.
    • > https://fidoalliance.org/specs... [fidoalliance.org]

      Not tried it, not spent two minutes reading up on it.

      If you'd like to know something about it, you can read all about it here:

      https://fidoalliance.org/specs... [fidoalliance.org]

      > I'm going to assume that the first thing it requires is some sort of account provided (directly or indirectly) by Google. However, even without any such account, I expect Google will be able to glean a lot of information

      Why would you INTENTIONALLY choose to believe stuff that you know is total bull, random si

      • Who is telling you that Google's Titan 2FA is using the U2F protocol? According to the linked article from OP it is using its own proprietary shit: "Google Authenticator" or similar that require a third party while U2F does not. You can bet your ass that Google will track the living hell out of anyone because that's what they do.
        • More absolute garbage straight from your ass. Couldn't be more wrong.

          >its own proprietary shit: "Google Authenticator" or similar that require a third party

          Every day thousands of people use my 2FA system that I wrote from scratch. They mostly call it "Google authenticator" because that's the app most people use with it. You can use any of dozens of 2FA apps because Google Authenticator uses TOTP, the single most common 2FA standard. It's RFC 6238.
          https://datatracker.ietf.org/d... [ietf.org]

          It's very much not propr

    • by AmiMoJo ( 196126 )

      Why are you like? By your own admission you know nothing about Titan security keys, don't know how they work, or what FIDO2 is.

      Instead of finding out, you get triggered by the world "google" and go on a rant about data collection.

      FYI no connection to Google servers is made, the Titan key doesn't even have internet access and it works just fine offline.

      • Unless, of course, Google's proprietary "extended security protocol" is used (and I bet it is). Which is supported only by Google's Titan key. Embrace, extend, extinguish.
  • You get a key, and you get a key, everyone gets a key!!1!

  • "PSF says it deems any project in the top 1% of downloads over the prior six months as critical. Presently, there are more than 350,000 projects on PyPI, meaning that more than 3,500 projects are rated as critical."

    Wait, what? How is that possible? Unless a large portion of those have exactly the same number of downloads...

    • "PSF says it deems any project in the top 1% of downloads over the prior six months as critical. Presently, there are more than 350,000 projects on PyPI, meaning that more than 3,500 projects are rated as critical."

      Wait, what? How is that possible? Unless a large portion of those have exactly the same number of downloads...

      You rank projects by download volume, take top 1% of that list. And yes, that's *very* different from "top projects responsible for 1% of the volume of downloads"

  • So what is MFA goal in this?
    This seems like that they want to turn on MFA for these packages to cover the their ass and the fact that this is a unmodded collection of python scripts. So they can go, "Oh, you got hacked do to our incompetence? Well if you had wasted your time and money on a overpriced, cheaply made USB toy, you would be fine. We are a corp. Our time and money is not meant for security. Nope, its for all the data tracking we are doing on the packages."

Single tasking: Just Say No.

Working...