The maintainers of the official third-party software repository for Python have begun imposing a new two-factor authentication (2FA) condition for projects deemed "critical."

Python 官方第三方软件存储库的维护者已开始对被视为“关键”的项目实施新的双因子身份验证 (2FA) 。

"We've begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them," Python Package Index (PyPI) said in a tweet last week.

“我们已经开始推出2FA 要求：不久之后，关键项目的维护者必须启用 2FA 才能发布、更新或修改它们，”Python Package Index (PyPI)在上周的一条推文中表示。

"Any maintainer of a critical project (both 'Maintainers' and 'Owners') are included in the 2FA requirement," it added.

“关键项目的任何维护者（‘维护者’和‘所有者’）都包含在 2FA 要求中，”它补充道。

Additionally, the developers of critical projects who have not previously turned on 2FA on PyPi are being offered free hardware security keys from the Google Open Source Security Team.

此外，谷歌开源安全团队为之前未在 PyPi 上启用 2FA 的关键项目的开发人员提供免费的硬编码密钥。

PyPI, which is run by the Python Software Foundation, houses more than 350,000 projects, of which over 3,500 projects are said to be tagged with a "critical" designation.

PyPI 由 Python 软件基金会运营，拥有超过 350,000 个项目，其中超过3,500 个项目被标记为“关键”名称。

According to the repository maintainers, any project accounting for the top 1% of downloads over the prior 6 months is designated as critical, with the determination recalculated on a daily basis.

根据存储库维护者的说法，任何在前 6 个月内占下载量前 1% 的项目都被指定为关键项目，并且每天都会重新计算该确定值。

But once a project has been classified as critical it's expected to retain that designation indefinitely, even if it drops out of the top 1% downloads list.

但是，一旦一个项目被归类为关键项目，即使它掉出前 1% 的下载列表，它也有可能被无限期地保留该名称。

The move, which is seen as an attempt to improve the supply chain security of the Python ecosystem, comes in the wake of a number of security incidents targeting open-source repositories in recent months.

此举被视为改善Python 生态系统供应链安全性的尝试，是在最近几个月针对开源代码库的一系列安全事件之后发生的。

Last year, NPM developer accounts were hijacked by bad actors to insert malicious code into popular packages "ua-parser-js," "coa," and "rc," prompting GitHub to tighten the security of the NPM registry by requiring 2FA for maintainers and admins starting in the first quarter of 2022.

去年，NPM 开发者账户被攻击者劫持，将恶意代码插入到流行的包“ua-parser-js”、“coa”和“rc”中，这促使GitHub从2022 年第一季度开始要求维护者和管理员进行 2FA 来加强 NPM 注册表的安全性。

"Ensuring that the most widely used projects have these protections against account takeover is one step towards our wider efforts to improve the general security of the Python ecosystem for all PyPI users," PyPi said.

“确保最广泛使用的项目具有这些防止帐户接管的保护措施，是我们朝着为所有 PyPI 用户提高 Python 生态系统的总体安全性而做出的最广泛努力的一步，”PyPi 说。

一切的输入都是有害的，一切的请求都是不可信的。

——网安用语

本文翻译自：

https://thehackernews.com/2022/07/pypi-repository-makes-2af-security.html

如若转载，请注明原文地址