PyPI has been in the news for a bunch of reasons lately. Many of them good. But also, some with a bit of drama or mixed reactions. On this episode, we have Dustin Ingram, one of the PyPI maintainers and one of the directors of the PSF, here to discuss the whole 2FA story, securing the supply chain, and plenty more related topics. This is another important episode that people deeply committed to the Python space will want to hear.<br/>
<br/>
<strong>Links from the show</strong><br/>
<br/>
<div><b>Dustin on Twitter</b>: <a href="https://twitter.com/di_codes" target="_blank" rel="noopener">@di_codes</a><br/>
<br/>
<b>Hardware key giveaway</b>: <a href="https://pypi.org/security-key-giveaway/" target="_blank" rel="noopener">pypi.org</a><br/>
<b>OpenSSF funds PyPI</b>: <a href="https://openssf.org/blog/2022/06/20/openssf-funds-python-and-eclipse-foundations-and-acquires-sos-dev-through-alpha-omega-project/" target="_blank" rel="noopener">openssf.org</a><br/>
<b>James Bennet's take</b>: <a href="https://www.b-list.org/weblog/2022/jul/11/pypi/" target="_blank" rel="noopener">b-list.org</a><br/>
<b>Atomicwrites (left-pad on PyPI)</b>: <a href="https://old.reddit.com/r/Python/comments/vuh41q/pypi_moves_to_require_2fa_for_critical_projects/" target="_blank" rel="noopener">reddit.com</a><br/>
<b>2FA PyPI Dashboard</b>: <a href="https://p.datadoghq.com/sb/7dc8b3250-389f47d638b967dbb8f7edfd4c46acb1" target="_blank" rel="noopener">datadoghq.com</a><br/>
<b>github 2FA - all users that contribute code by end of 2023</b>: <a href="https://github.blog/2022-05-04-software-security-starts-with-the-developer-securing-developer-accounts-with-2fa/" target="_blank" rel="noopener">github.blog</a><br/>
<b>GPG - not the holy grail</b>: <a href="https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/" target="_blank" rel="noopener">caremad.io</a><br/>
<b>Sigstore for Python</b>: <a href="https://pypi.org/project/sigstore/" target="_blank" rel="noopener">pypi.org</a><br/>
<b>pip-audit</b>: <a href="https://pypi.org/project/pip-audit/" target="_blank" rel="noopener">pypi.org</a><br/>
<b>PEP 691</b>: <a href="https://peps.python.org/pep-0691/" target="_blank" rel="noopener">peps.python.org</a><br/>
<b>PEP 694</b>: <a href="https://peps.python.org/pep-0694/ (in draft)" target="_blank" rel="noopener">peps.python.org</a><br/>
<b>Watch this episode on YouTube</b>: <a href="https://www.youtube.com/watch?v=-7zOg1FjTg4" target="_blank" rel="noopener">youtube.com</a><br/>
<br/>
<b>--- Stay in touch with us ---</b><br/>
<b>Subscribe to us on YouTube</b>: <a href="https://talkpython.fm/youtube" target="_blank" rel="noopener">youtube.com</a><br/>
<b>Follow Talk Python on Twitter</b>: <a href="https://twitter.com/talkpython" target="_blank" rel="noopener">@talkpython</a><br/>
<b>Follow Michael on Twitter</b>: <a href="https://twitter.com/mkennedy" target="_blank" rel="noopener">@mkennedy</a><br/></div><br/>
<strong>Sponsors</strong><br/>
<a href='https://talkpython.fm/compiler'>RedHat</a><br>
<a href='https://talkpython.fm/irl'>IRL Podcast</a><br>
<a href='https://talkpython.fm/assemblyai'>AssemblyAI</a><br>
<a href='https://talkpython.fm/training'>Talk Python Training</a>
↧