The whole package has now been deprecated by the maintainer:
'PyPI wants me to enable 2FA just because I maintain this package, and both that and the mess resulting from a stunt of mine, I thought it'd be a good time to deprecate this package. Python 3 has os.replace and os.rename which probably do well enough of a job for most usecases.'
'I decided to deprecate this package. While I do regret to have deleted the package and did end up enabling 2FA, I think PyPI's sudden change in rules and bizarre behavior wrt package deletion doesn't make it worth my time to maintain Python software of this popularity for free. I'd rather just write code for fun and only worry about supply chain security when I'm actually paid to do so.'
I can see the maintainers point, even if it may be inconvenient.
That sounds like a best of both worlds. PyPI sets a minimum bar for developer responsibility and you can opt out of publishing to PyPI if you don't want to be that responsible.
This is a bizarrely emotional response to me. PyPI offered to provide a security key to make the maintainer's life easier so it's hard to see this as an "entitled" act. When I see the core infrastructure for open source software ecosystems improve I cheer that effort on.
While I am in full support of not asking too much of open source maintainers a cooperative stance makes the overall situation better for everyone involved. This could have been handled in a better way.
Maybe some people use their side projects to develop software without the bureaucratic crap full time jobs have. And any amount of bureaucracy is too much for his free side project
> PyPI wants me to enable 2FA just because I maintain this package, which I don't care for. So this package is now unmaintained.
Just set up a KeepassXC file and put your 2FA info in there? You don't need to give PyPI your phone info, PyPI takes TOTP[1]. 2FA is pretty normal; I don't see why the author has a problem with it. It doesn't violate privacy (since it's not actually tied to any PII like a phone number), it takes like 10 seconds to set up, and it protects your packages from hackers. Perhaps the author simply doesn't see the point of 2FA, since he implies the PyPI authors only did it for compliance reasons (and not for normal bolt-your-doors security reasons, which is more likely)?
He calls setting up 2FA "an expense of my free time" when surely it took more time for him to delete and re-add his package than it would have to just set up 2FA.
EDIT:
To be fair, the maintainer owes us nothing[2], sure. But it's not unreasonable to protect the larger community with basic security practices, either.
You know which modules I'm not using for my critical projects? Ones whose maintainers refuse to enable 2fa. We already know how supply chain security problems have plagued npm and pypi. Dependabot should alert you when your dependency comes from a package maintainer that doesn't use 2fa.
Also got this letter of happiness. I don't mind 2FA, already had it set up. But PyPi is weird. I wanted to add a secondary 2FA device for backup, but they would not just let me do it. I had to download recovery codes first. But what am I going to do with them? Unlike 2FA tools there's no convenient way to store them. But because they insisted (and they really did by immediately asking me to burn one of them) I just saved them into a random file on my local disk. I suppose I could delete them, but I would rather not have gotten them in the first place.
PyPI identifies a package as critical and asks the maintainer to enable 2FA.. but allows them to simply delete the package to get around this requirement?
Apparently when the 2fa requirement is actually implemented (this was just an announcement which triggered this) deleting a package would require 2fa as well.
I assume/ hope that this is PyPI's first step in rolling out mandatory 2FA? Otherwise the whole "you're critical so you have to enable it" seems a bit silly in that you're going to have developers who get critical decide they don't want to do this, and at that point pull packages/ stop maintaining.
Just having a 2FA requirement from the start (or some grace period like 7 days) seems like the way to do it.
Someone on Reddit [1] ran their own version [2] of the query PyPi used to make this determination. Over the last 6 months, atomicwrites was downloaded 38,497,903 times, good for just under #400 by rank.
AngusH|3 years ago
'PyPI wants me to enable 2FA just because I maintain this package, and both that and the mess resulting from a stunt of mine, I thought it'd be a good time to deprecate this package. Python 3 has os.replace and os.rename which probably do well enough of a job for most usecases.'
https://github.com/untitaker/python-atomicwrites
Edit:
From the bug report
'I decided to deprecate this package. While I do regret to have deleted the package and did end up enabling 2FA, I think PyPI's sudden change in rules and bizarre behavior wrt package deletion doesn't make it worth my time to maintain Python software of this popularity for free. I'd rather just write code for fun and only worry about supply chain security when I'm actually paid to do so.'
I can see the maintainers point, even if it may be inconvenient.
staticassertion|3 years ago
The system works.
ary|3 years ago
While I am in full support of not asking too much of open source maintainers a cooperative stance makes the overall situation better for everyone involved. This could have been handled in a better way.
Wowfunhappy|3 years ago
It's even easier to just leave 2FA disabled and stop maintaining the project. Which is what they did.
Are maintainers obligated to support their projects indefinitely?
savant_penguin|3 years ago
kevin_thibedeau|3 years ago
djhaskin987|3 years ago
> PyPI wants me to enable 2FA just because I maintain this package, which I don't care for. So this package is now unmaintained.
Just set up a KeepassXC file and put your 2FA info in there? You don't need to give PyPI your phone info, PyPI takes TOTP[1]. 2FA is pretty normal; I don't see why the author has a problem with it. It doesn't violate privacy (since it's not actually tied to any PII like a phone number), it takes like 10 seconds to set up, and it protects your packages from hackers. Perhaps the author simply doesn't see the point of 2FA, since he implies the PyPI authors only did it for compliance reasons (and not for normal bolt-your-doors security reasons, which is more likely)?
He calls setting up 2FA "an expense of my free time" when surely it took more time for him to delete and re-add his package than it would have to just set up 2FA.
EDIT:
To be fair, the maintainer owes us nothing[2], sure. But it's not unreasonable to protect the larger community with basic security practices, either.
1: https://pypi.org/help/#twofa
2: https://gist.github.com/richhickey/1563cddea1002958f96e7ba95...
krasin|3 years ago
If we keep treating open source maintainers like they owe us anything, we will have fewer open source maintainers.
lbhdc|3 years ago
jbverschoor|3 years ago
bvrmn|3 years ago
jamesboehmer|3 years ago
Wowfunhappy|3 years ago
lostmsu|3 years ago
afturner|3 years ago
jbverschoor|3 years ago
mwarkentin|3 years ago
Other registries go further and make it harder or impossible to delete once certain criteria are met (pretty sure this was put in place after leftpad broke the whole ecosystem): https://docs.npmjs.com/unpublishing-packages-from-the-regist...
staticassertion|3 years ago
Just having a 2FA requirement from the start (or some grace period like 7 days) seems like the way to do it.
legobmw99|3 years ago
[1] https://old.reddit.com/r/Python/comments/vuh41q/pypi_moves_t... [2] https://gist.github.com/jack1142/efe5c89b861a41616aaf8587838...
unknown|3 years ago
[deleted]