[Security-sig] Re: [Security-announce]Incident Report: Malicious takeover of ctx project on PyPI

On 5/30/22 6:56 PM, Brett Cannon wrote:

On Fri, May 27, 2022 at 9:40 AM Skip Montanaro mailto:skip.montanaro@gmail.com> wrote: 1. Would requiring 2FA for all PyPI accounts be reasonable?

Because both GitHub (https://github.blog/2022-05-04-software-security-starts-with-the-developer-s... https://github.blog/2022-05-04-software-security-starts-with-the-developer-s...) and npm (https://github.blog/2022-05-04-software-security-starts-with-the-developer-s... https://github.blog/2022-05-04-software-security-starts-with-the-developer-s...) will be requiring 2FA in the future, so we are not trailblazing here. The attackers are unfortunately too relentless and vast to leave PyPI alone. Add in the fact that Python packaging does not lock Python versions and require hash verification (at least for now; I'm still trying to get this rectified), this problem will persist.

Skip, you might also be interested in this Discourse discussion about the current state of requiring multifactor auth on PyPI: https://discuss.python.org/t/require-mfa-on-pypi/12077/28 -- Sumana Harihareswara Changeset Consulting https://changeset.nyc