The administrators of the official Python third-party software repository have started requiring developers working on "critical" projects to comply with a new requirement for two-factor authentication (2FA).
Python Package Index (PyPI) stated in a tweet that they have begun the process of rolling out a requirement for two-factor authentication (2FA). Soon, maintainers of critical projects will be required to have 2FA enabled in order to publish, update, or modify them.
The requirement for two-factor authentication applies to "any maintainer of a critical project," which includes "project owners" as well as "maintainers."
Additionally, the Google Open Source Security Team is offering free hardware security keys to the developers of critical projects who have not activated 2FA on PyPi in the past. This is being done by the Google Open Source Security Team.
More than 350,000 projects can be found on the Python Package Index (PyPI), which is managed by the Python Software Foundation. Reportedly, more than 3,500 of these projects have been given the "critical" designation.
Any project that has accounted for the top 1 percent of downloads over the prior six months will be labeled as critical, and this determination will be recalculated on a daily basis, as stated by the people who maintain the repository.
However, once a project has been designated as critical, it is anticipated that it will continue to hold that designation indefinitely, even if it falls off the list of software that comprises the top 1 percent downloaded.
This move, which is seen as an attempt to improve the security of the Python ecosystem's supply chain, comes as a response to a number of security incidents that have targeted open-source repositories in recent months.
After malicious actors gained access to NPM developer accounts in order to insert malicious code into popular packages such as "ua-parser-js," "coa," and "rc" in 2018, GitHub was prompted to increase the security of the NPM registry by mandating the use of two-factor authentication (2FA) for maintainers and administrators beginning in the first quarter of 2022.
"Ensuring that the most widely used projects have these protections against account takeover is one step towards our wider efforts to improve the general security of the Python ecosystem for all PyPI users," the Python Package Index (PyPI) said in a statement.
Post a Comment
Your suggestions and comments are welcome