fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

10K
active users

Seth Larson

🚨 PSA: is requiring in 2024 to publish new releases. If you're a developer of packages then you need to enable 2FA in addition to adopting either Trusted Publishers or API tokens before publishing new releases.

Data from today shows less than 10% of PyPI's accounts have 2FA enabled: p.datadoghq.com/sb/7dc8b3250-3

@sethmlarson does publishing via Trusted Publishers require 2FA as well?
If not, can we somehow require that?

@tmr232 Projects that are looking to require 2FA more broadly can opt-in to requiring all associated accounts use 2FA.

@sethmlarson Thanks!

I was mostly wondering what the situation is, as a consumer of packages.

2FA on PyPI still leaves us vulnerable to project hijacks on Github, but still is a massive step forward.

More on Trusted Publishers - are there plans to let users of PyPI see whether a package was published via Trusted Publishers, and from which repo?

@tmr232 This still punts the concern down another layer to the email provider, but GitHub is also requiring 2FA for code contributors in 2024.

Eventually there will be a mechanism analogous to NPMs "build provenance", but Trusted Publishers isn't that (but could be bootstrapped into that potentially without code changes for software producers). Stay tuned in that space :)