I’m not sure how I feel about PyPI now tracking “critical” projects and requiring extra rules. 2FAe enforcement seems fine, but I strongly doubt this will be the end of it.
Conversation
Replying to
Requiring projects that represents millions of downloads a month to implement basic security features seems like a pretty sane thing to do to me TBH, but I may be a little biased.
4
2
22
Replying to
Sure, but what's next? Needs to have a security@ email? Needs to file CVEs? Needs to sign all releases? Needs to have an SLA and active contact email? I understand that this is a slippery slope argument but you're changing the rules after the fact.
2
3
Replying to
I cannot imagine requiring an email, CVE, SLA, etc.
I can imagine requiring signed releases.
Honestly, if you don't trust the PyPI maintainers to make reasonable decisions about what to enforce, then you should talk to the PSF about getting us removed or stop using PyPI.
1
1
4
What bothers me is that criticality is determined by downloads. I understand that it's a hard thing to measure, but I have at least one project that's at version 0.2, has had barely any feedback on the API, and yet it's now critical.
1
2
And I can't ask for it to not be classed as critical...
1
1
Criticality is roughly measured by how large of an impact compromise would have for that project. That metric doesn't really care what you *intended*, just what the facts on the ground are for how many people/machines would be affected by compromise.
2
3
It's completely reasonable to require 2FA or better yet strong 2FA for your repository. It's quite strange to arbitrarily impose it only on certain people. I don't think there would have been much of a controversy at all if you had simply required that everyone start using 2FA.
1
1
I don't think would have had an issue with you requiring that everyone use 2FA. Their issue is with your designating their packages as critical based on their usage and imposing more requirements on them as you do on others when they didn't sign up for that at all.
1
1
2FA is not a significant burden and could be applied for everyone. If on the other hand you want certain projects you have designated as important to start doing more than you require for everyone else, you should be reaching out to those developers and figuring out compensation.
I hope you're not paying for metered bandwidth because there's now an incentive for a company to inflate download statistics for all their dependencies in order for them to impose basic security standards on the maintainers. Enforcing 2FA isn't the issue, the arbitrary metric is.
1
2
PyPI serves almost 50PB a month of traffic, if a company manages to individually move the needle in a way where it wouldn't be more cost effective to just give those maintainers $1000 to enable 2FA, I'll be incredibly impressed.