Open source software is built on trust. Trust is something that must be established and earned, requiring structures in place to ensure the developer community can both trust and be trusted. The Python Package Index (PyPI) took a huge step forward last week to establish more security and trust within the Python ecosystem. In the coming months, PyPI will require the implementation of two-factor authentication (2FA) for projects deemed critical — that is, any project in the top 1% of downloads of the past 6 months. To that end, eligible maintainers of critical projects can redeem two free security keys to set up 2FA.
Today, a few short days after the announcement, over 100 projects and nearly 2,000 maintainers have already opted into the 2FA requirement. You can watch this growing adoption in real time on the PyPI 2FA Dashboard. This swift and accelerating enrollment, months before a change is needed, indicate how important trust and security are to open source contributors and maintainers.
PyPI is run largely by volunteer maintainers who are working to make the open source ecosystem more secure. Having checks in place that may require a small amount of time for individual maintainers to set up can have an outsized impact on the overall wellness of the software supply chain.
This decision situates PyPI among the security leaders in open source language communities. While required 2FA is commonplace in Linux distributions such as Alpine, we should celebrate the increased security efforts across the software supply chain. We would like to recognize others in the language community that are making similar efforts: RubyGems and npm are implementing multi-factor authentication requirements. Security rollouts are also coming out from GitHub, who will have a 2FA mandate on all code contributors by the end of 2023, and the OpenSSF created a Securing Software Repositories working group earlier this year.
Incremental steps towards a more secure open source ecosystem will help all developers better understand the provenance of the packages they rely on, and in turn support all end users who run software locally. Overall, increased security efforts help to mitigate vulnerabilities and prevent malicious attacks through supporting a clearer picture of the packages that undergird the software that we build.
Understandably, being among the first to make a big step forward may encourage some debate, and adding additional tasks to open source maintainers (who are often volunteers), should be done with thoughtfulness and care. James Bennett addressed many of the critiques in his post, “Yes, I have opinions on your open source contributions,” concluding that efforts such as 2FA can have “big payoffs in improved security.” Recent open source software attacks that would likely have been prevented with 2FA include hijackers compromising the UA-Parser-JS npm library and the strong_password Ruby gem. Without safeguards in place, software supply chain attacks will continue to rise.
While 2FA and other potential security checks and balances do require non-zero efforts on the part of maintainers, the long-term impact on security will prove more than worthwhile, as they work to prevent attacks and build increased trust. We do believe that PyPI has shown appreciation and empathy towards the developer community and the Packaging Working Group has laid the groundwork to make a move toward greater security that is as frictionless as possible.
The current approach to open source security is not enough. We need to make incremental changes towards more holistic and intentional efforts to help secure open source software. Community leaders like PyPI are exactly the people who should be spearheading these efforts. A more secure foundation will foster greater trust across the open source community.
— Dan Lorenc, Tracy Miranda and Lisa Tagliaferri