@pypi now requires #2FA for new user registrations in order to publish or create new projects. This is part of a broader effort to require 2FA for all users of #PyPI by the end of 2023.
To scream into the void: Yes, PyPi, someone was using those signatures. Distro package maintainers secured user supply chains with it!
I'm not looking forward to asking dozens of upstreams to host their signatures elsewhere (just stumbled across one case). Meanwhile reproducibility is now broken for those packages.
🚨 PSA: #PyPI is requiring #2FA in 2024 to publish new releases. If you're a developer of #Python packages then you need to enable 2FA in addition to adopting either Trusted Publishers or API tokens before publishing new releases.
#Python bundles xz v5.2.5 and earlier which don't contain the backdoored binary files. #PyPI is also not affected due to using Debian Bookworm, not Sid.
Querying PyPI packages and Python Dockerhub images doesn't show any xz 5.6.x binaries.
From what I've gathered from others, the backdoor appears to target sshd (SSH server) on glibc-based distros, so if you're using Ubuntu or Fedora check that you aren't affected.
The #PSF has received funding for Malware Detection on #PyPI from #CSET! This will mean getting closer to near-instant takedowns of malware on PyPI without needing to infinitely scale up manual triaging of reports all while remaining open! 🎉
Looking back at 2023 @miketheman uncovered some impressive metrics that we want to share! A big thanks to Fastly- And also @awsopen for making Mike’s job possible! #thankyou#PyPI#python
On this #PiDay, we want to remind you that our love for #python is infinite! Give the unique and unrepeatable love of Python* to yourself or a friend 💙💛 grab the @nostarch Humble Bundle today!