PSA: #PyPI is requiring #2FA in 2024 to publish new releases. If you're a developer of #Python packages then you need to enable 2FA in addition to adopting either Trusted Publishers or API tokens before publishing new releases.
Data from today shows less than 10% of PyPI's accounts have 2FA enabled: https://p.datadoghq.com/sb/7dc8b3250-389f47d638b967dbb8f7edfd4c46acb1
@sethmlarson does publishing via Trusted Publishers require 2FA as well?
If not, can we somehow require that?
@tmr232 There's no requirement for 2FA to publish via Trusted Publishers, however you need to enable 2FA to configure Trusted Publishers, see management actions:
https://blog.pypi.org/posts/2023-08-08-2fa-enforcement-for-new-users/#what-are-management-actions
@tmr232 Projects that are looking to require 2FA more broadly can opt-in to requiring all associated accounts use 2FA.
@sethmlarson Thanks!
I was mostly wondering what the situation is, as a consumer of packages.
2FA on PyPI still leaves us vulnerable to project hijacks on Github, but still is a massive step forward.
More on Trusted Publishers - are there plans to let users of PyPI see whether a package was published via Trusted Publishers, and from which repo?
@tmr232 This still punts the concern down another layer to the email provider, but GitHub is also requiring 2FA for code contributors in 2024.
Eventually there will be a mechanism analogous to NPMs "build provenance", but Trusted Publishers isn't that (but could be bootstrapped into that potentially without code changes for software producers). Stay tuned in that space :)