Last week, I got a mail from PyPI, the Python package index. They informed me that one of my open source projects had been designated as ‘critical,’ and I was therefore required to enable two-factor authentication. If I didn’t oblige, I would soon lose the ability to add new releases or modify the project.
The project in question was Cerberus. The ‘critical’ designation happens when a project has been in the top 1% of downloads over the prior six months. Given that there are currently 388K packages on the Python Package Index, I must admit that having one of my projects in the top 1% does feel good.
However, I was initially a bit baffled in that I would lose control of the package if I didn’t take action. I understand the motivation behind this move, which is to improve the general security of the Python ecosystem. Still, the imposition from above didn’t feel quite right to me. After reading about the rationale for the new requirement, I surrendered, went on PyPI and activated 2FA1. In hindsight, I should have done that long ago, as I already use 2FA on many other services.
A couple of days later, I was relieved to learn that my initial “1984-dictatorship-alert” ring bell wasn’t the only one to go off. On that day, Armin Ronacher’s thoughts on this very topic made the headlines on Hacker News:
The message to me as a maintainer is quite clear: once a project achieved criticality, then the index wants to exercise a certain amount of control […] However when I create an Open Source project, I do not chose to create a “critical” package. It becomes that by adoption over time. Right now the consequence of being a critical package is quite mild: you only need to enable 2FA. But a line has been drawn now and I’m not sure why it wouldn’t be in the index best interest to put further restrictions in place.
I think Armin’s post is worth reading. I share some of his concerns, although I don’t consider ‘users vetting,’ as he suggests, a suitable alternative for authentication (vetting solves a different problem).