2023-05

2023-05-25 Securing PyPI accounts via Two-Factor Authentication by Donald Stufft #security #2fa

• https://blog.pypi.org/posts/2023-05-25-securing-pypi-with-2fa/

One of the key security promises that PyPI makes is that when you’re downloading something, that only the people associated with that project are going to be able to upload, delete, or otherwise modify a project.

That when you look at that project and see that it is owned by someone that you trust, that you can be assured that nobody else is making changes to that package on PyPI.

This promise is predicated on the security of each and every individual account on PyPI used to create and maintain a Python project.

In the past we’ve taken steps to safeguard these accounts by blocking compromised passwords, strong 2FA support using TOTP and WebAuthN, support for API tokens with offline attenuation, enrolling the most downloaded projects into mandatory 2FA, and enabling short lived tokens for upload.

Today (2023-05-25), as part of that long term effort to secure the Python ecosystem, we are announcing that every account that maintains any project or organization on PyPI will be required to enable 2FA on their account by the end of 2023 .

Between now ((2023-05-25) and the end of the year (2023-12-31), PyPI will begin gating access to certain site functionality based on 2FA usage. In addition, we may begin selecting certain users or projects for early enforcement.

What can I do to prepare ?

• https://pypi.org/help/#utfkey (security device)

• https://pypi.org/help/#totp (authentication app)

The most important things you can do to prepare are to enable 2FA for your account as soon as possible,

• either with a security device (preferred)

• or an authentication app

and to switch to using either Trusted Publishers (preferred) or API tokens to upload to PyPI.

2023-05-23 Trusted publishing : a new benchmark for packaging security

• https://blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/

• https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/

• https://openssfdayeu2023.sched.com/event/1P6Tl?iframe=no

Introduction

For the past year, we’ve worked with the Python Package Index to add a new, more secure authentication method called trusted publishing

Trusted publishing eliminates the need for long-lived API tokens and passwords, reducing the risk of supply chain attacks and credential leaks while also streamlining release workflows.

Critical packages on PyPI are already using trusted publishing to make their release processes more secure .

Trusted publishing OpenID Connect and “ambient” credentials

Trusted publishing is built on top of OpenID Connect (OIDC), an open identity attestation and verification standard built on top of OAuth2.

OIDC enables identity providers (IdPs) to produce publicly verifiable credentials that attest to a particular identity (like hamilcar @ example . com ) .

These credentials are JSON Web Tokens (JWTs) under the hood, meaning that an identity under OIDC is the set of relevant claims in the JWT

2023-05-21 CPython 3.12 enters a feature freeze on May 22 and releases on October 2

• https://tweet.lambda.dance/indygreg/status/1660067930619645953#m

CPython 3.12 enters a feature freeze on May 22 and releases on October 2. Meanwhile Rust is out here shipping a release every 6 weeks and a change you land on May 22 is shipping in Rust Stable on July 13.

The different release cadences and behaviors they externalize is jarring

2023-05-18 Great article from @abhi9u showing an example of executing unchanged Python code, with Mojo🔥, giving a 12x speedup

• https://nitter.slipfox.xyz/Modular_AI/status/1659375726825713664#m

• https://codeconfessions.substack.com/p/mojo-the-future-of-ai-programming

And then … 🤯 … pushing it up to 900x Python and 9x faster than NumPy by adopting more advanced features 🚀

Others

• 2023-05-14
  • 2023-05-14 Real Multithreading is Coming to Python - Learn How You Can Use It Now