We applaud PyPI steps to make Python more secure
Open source software is built on trust. Trust is something that must be established and earned, requiring structures in place to ensure the developer community can both trust and be trusted. The Python Package Index (PyPI) took a huge step forward last week to establish more security and trust within the Python ecosystem. In the coming months, PyPI will require the implementation of two-factor authentication (2FA) for projects deemed critical — that is, any project in the top 1% of downloads of the past 6 months. To that end, eligible maintainers of critical projects can redeem two free security keys to set up 2FA.
Today, a few short days after the announcement, over 100 projects and nearly 2,000 maintainers have already opted into the 2FA requirement. You can watch this growing adoption in real time on the PyPI 2FA Dashboard. This swift and accelerating enrollment, months before a change is needed, indicate how important trust and security are to open source contributors and maintainers.
PyPI is run largely by volunteer maintainers who are working to make the open source ecosystem more secure. Having checks in place that may require a small amount of time for individual maintainers to set up can have an outsized impact on the overall wellness of the software supply chain.
This decision situates PyPI among the security leaders in open source language communities. While required 2FA is commonplace in Linux distributions such as Alpine, we should celebrate the increased security efforts across the software supply chain. We would like to recognize others in the language community that are making similar efforts: RubyGems and npm are implementing multi-factor authentication requirements. Security rollouts are also coming out from GitHub, who will have a 2FA mandate on all code contributors by the end of 2023, and the OpenSSF created a Securing Software Repositories working group earlier this year.
Incremental steps towards a more secure open source ecosystem will help all developers better understand the provenance of the packages they rely on, and in turn support all end users who run software locally. Overall, increased security efforts help to mitigate vulnerabilities and prevent malicious attacks through supporting a clearer picture of the packages that undergird the software that we build.
Understandably, being among the first to make a big step forward may encourage some debate, and adding additional tasks to open source maintainers (who are often volunteers), should be done with thoughtfulness and care. James Bennett addressed many of the critiques in his post, “Yes, I have opinions on your open source contributions,” concluding that efforts such as 2FA can have “big payoffs in improved security.” Recent open source software attacks that would likely have been prevented with 2FA include hijackers compromising the UA-Parser-JS npm library and the strong_password Ruby gem. Without safeguards in place, software supply chain attacks will continue to rise.
While 2FA and other potential security checks and balances do require non-zero efforts on the part of maintainers, the long-term impact on security will prove more than worthwhile, as they work to prevent attacks and build increased trust. We do believe that PyPI has shown appreciation and empathy towards the developer community and the Packaging Working Group has laid the groundwork to make a move toward greater security that is as frictionless as possible.
The current approach to open source security is not enough. We need to make incremental changes towards more holistic and intentional efforts to help secure open source software. Community leaders like PyPI are exactly the people who should be spearheading these efforts. A more secure foundation will foster greater trust across the open source community.
— Dan Lorenc, Tracy Miranda and Lisa Tagliaferri
Share this article
Related articles
- Open Source
Fork Yeah: We’re Bringing Kaniko Back
Chainguard is taking over the maintenance of the Kaniko project, recently deprecated by Google. Learn more about why we're doing it and what is next.
Priya Wadhwa, Senior Engineering Manager, Kim Lewandowski, Co-founder & CPO, and Dan Lorenc, Co-founder & CEO
- Open Source
Guardcraft: A Minecraft Java Server with Zero CVEs
We built a Minecraft Java server using a Chainguard Image, resulting in zero CVEs and a whole lot of fun!
Erika Heidi, Staff Developer Experience Engineer
- Open Source
Wolfi: a new paradigm in Linux for containers
Wolfi is a Linux distribution built specifically for containerized applications. See how it can speed up your development process.
Erika Heidi, Developer Experience Engineer
- Open Source
Kubeburned out? Navigating the world of Kubernetes without losing your spark
Want to contribute to Kubernetes but don't know where to start? Learn how to do it in a sustainable way.
Carlos Panato, Staff Software Engineer and Sascha Grunert, Senior Software Engineer, Red Hat
- Open Source
Unlocking efficiency and security on GitLab: On-demand images with 0-CVE packages powered by Wolfi
Experience secure, efficient GitLab operations with 0-CVE on-demand images, fueled by Wolfi OS.
Batuhan Apaydin and Furkan Türkal
- Open Source
VEXed? Then Grype about it: Chainguard and Anchore announce Grype supports OpenVEX
Open source vulnerability scanner Grype has added support for OpenVEX, making software supply chain security easier. Learn how to implement it today.
Adolfo Veytia, Alex Goodman, Dan Luhring, and John Speed Meyers