On Friday, the Python Package Index (PyPI), the official repository of third-party open-source Python projects announced plans to mandate two-factor authentication requirement for maintainers of “critical” projects.
Although many community members praised the move, the developer of a popular Python project decided to delete his code from PyPI and republish it to invalidate the “critical” status assigned to his project.
PyPI rolls out 2FA for top 1% projects
Yesterday, admins of the PyPI registry announced they were in the process of introducing two-factor authentication (2FA) requirement for projects deemed “critical.”
Any PyPI project accounting for the top 1% of downloads over the last six months as well as PyPI’s dependencies have been designated critical.
“In order to improve the general security of the Python ecosystem, PyPI has begun implementing a two-factor authentication (2FA) requirement for critical projects. This requirement will go into effect in the coming months,” announced the admins in a blog post.
Additionally, the maintainers of critical projects are being offered free hardware security keys, with support from the Google Open Source Security Team, a sponsor of Python Software Foundation (PSF).
The initiative follows recent repeated incidents of legitimate software libraries getting hijacked—across both the npm and PyPI ecosystems.
Last year, heavily used npm libraries, ‘ua-parser-js,’ ‘coa’ and ‘rc’ were altered with malware after a compromise of their maintainer accounts. As such, npm’s parent company, GitHub, took steps to roll out an enhanced login experience (2FA options) for developers starting December 2021, with further security updates announced this May.
With the most recent news of PyPI project ‘ctx’ getting hijacked, as BleepingComputer first reported, and the case later turning out to be an “ethical” hacking experiment gone wrong, PyPI has followed GitHub’s lead in also implementing 2FA for maintainer accounts.
“Ensuring that the most widely used projects have these protections against account takeover is one step towards our wider efforts to improve the general security of the Python ecosystem for all PyPI users,” explains PyPI admins who have also shared a dashboard showing over 3,818 PyPI projects and 8,218 PyPI user accounts that they have identified as “critical” and who will likely be asked to adopt 2FA.
In spite of this, over 28,000 PyPI user accounts (including those not associated with a “critical” project) have voluntarily enabled 2FA.
Developer pushes back at mandatory 2FA
Although most [1, 2, 3] have reacted favorably to the move and welcomed PyPI’s initiative towards enhancing the overall security of the software supply chain, some have not.
Markus Unterwaditzer, developer of the ‘atomicwrites’ PyPI project decided to delete his code from the registry after receiving a “Congratulations!” email from PyPI notifying the developer of his project having been deemed critical and now requiring two-factor authentication.
Note, Unterwaditzer’s atomicwrites reportedly gets downloaded over 6 million times in a given month.
Some compared this move to the 2016’s left-pad incident that involved another developer almost breaking the internet by withdrawing his critical JavaScript projects from the npm registry.
Although, in this case, Unterwaditzer simply re-published versions of ‘atomicwrites’ to reset his project’s download counts (and hence its “critical” project status assigned by PyPI) as opposed to permanently withdrawing his code. By contrast, the circumstances surrounding the ‘left-pad’ incident were somewhat different and involved a trademark dispute.
“I decided to deprecate this package. While I do regret to have deleted the package and did end up enabling 2FA, I think PyPI’s sudden change in rules and bizarre behavior wrt package deletion doesn’t make it worth my time to maintain Python software of this popularity for free. I’d rather just write code for fun and only worry about supply chain security when I’m actually paid to do so,” wrote Unterwaditzer.
BleepingComputer observed Unterwaditzer has indeed republished all versions of his project shortly after removing them within the last 24 hours:
Other community members chimed in on the matter as well:
Armin Ronacher, the creator of Python-based micro web framework. Flask argued:
“…when I create an Open Source project, I do not chose to create a ‘critical’ package. It becomes that by adoption over time,” wrote Ronacher.
“Right now the consequence of being a critical package is quite mild: you only need to enable 2FA. But a line has been drawn now and I’m not sure why it wouldn’t be in [PyPI’s] best interest to put further restrictions in place.”
“Instead of putting the burden to the user of packages, we’re now piling stuff onto the developer who already puts their own labor and time into it. From the Index’ point of view there is a benefit to not enforce rules on everybody as some of these rules might make the use of the index burdensome, but putting the burden only on critical packages does not hurt the adoption just as much,” further writes the developer.
The repeated malware incidents and attacks involving open source software components have forced registry administrators to step up security across their platforms. It remains yet to be seen how well would the added burden of securing their projects, in addition to developing them, aligns with the expectations of an open source software developer.