The whole package has now been deprecated by the maintainer:<p>'PyPI wants me to enable 2FA just because I maintain this package, and both that and the mess resulting from a stunt of mine, I thought it'd be a good time to deprecate this package. Python 3 has os.replace and os.rename which probably do well enough of a job for most usecases.'<p><a href="https://github.com/untitaker/python-atomicwrites" rel="nofollow">https://github.com/untitaker/python-atomicwrites</a><p>Edit:<p>From the bug report<p>'I decided to deprecate this package. While I do regret to have deleted the package and did end up enabling 2FA, I think PyPI's sudden change in rules and bizarre behavior wrt package deletion doesn't make it worth my time to maintain Python software of this popularity for free. I'd rather just write code for fun and only worry about supply chain security when I'm actually paid to do so.'<p>I can see the maintainers point, even if it may be inconvenient.
This is a bizarrely emotional response to me. PyPI offered to provide a security key to make the maintainer's life easier so it's hard to see this as an "entitled" act. When I see the core infrastructure for open source software ecosystems improve I cheer that effort on.<p>While I am in full support of not asking too much of open source maintainers a cooperative stance makes the overall situation better for everyone involved. This could have been handled in a better way.
From the GitHub README:<p>> PyPI wants me to enable 2FA just because I maintain this package, which I don't care for. So this package is now unmaintained.<p>Just set up a KeepassXC file and put your 2FA info in there? You don't need to give PyPI your phone info, PyPI takes TOTP[1]. 2FA is pretty normal; I don't see why the author has a problem with it. It doesn't violate privacy (since it's not actually tied to any PII like a phone number), it takes like 10 seconds to set up, and it protects your packages from hackers. Perhaps the author simply doesn't see the point of 2FA, since he implies the PyPI authors only did it for compliance reasons (and not for normal bolt-your-doors security reasons, which is more likely)?<p>He calls setting up 2FA "an expense of my free time" when surely it took more time for him to delete and re-add his package than it would have to just set up 2FA.<p>EDIT:<p>To be fair, the maintainer owes us nothing[2], sure. But it's not unreasonable to protect the larger community with basic security practices, either.<p>1: <a href="https://pypi.org/help/#twofa" rel="nofollow">https://pypi.org/help/#twofa</a><p>2: <a href="https://gist.github.com/richhickey/1563cddea1002958f96e7ba95" rel="nofollow">https://gist.github.com/richhickey/1563cddea1002958f96e7ba95</a>...
You know which modules I'm not using for my critical projects? Ones whose maintainers refuse to enable 2fa. We already know how supply chain security problems have plagued npm and pypi. Dependabot should alert you when your dependency comes from a package maintainer that doesn't use 2fa.
Also got this letter of happiness. I don't mind 2FA, already had it set up. But PyPi is weird. I wanted to add a secondary 2FA device for backup, but they would not just let me do it. I had to download recovery codes first. But what am I going to do with them? Unlike 2FA tools there's no convenient way to store them. But because they insisted (and they really did by immediately asking me to burn one of them) I just saved them into a random file on my local disk. I suppose I could delete them, but I would rather not have gotten them in the first place.
PyPI identifies a package as critical and asks the maintainer to enable 2FA.. but allows them to simply delete the package to get around this requirement?
I assume/ hope that this is PyPI's <i>first step</i> in rolling out mandatory 2FA? Otherwise the whole "you're critical so you have to enable it" seems a bit silly in that you're going to have developers who <i>get critical</i> decide they don't want to do this, and at that point pull packages/ stop maintaining.<p>Just having a 2FA requirement from the start (or some grace period like 7 days) seems like the way to do it.
Someone on Reddit [1] ran their own version [2] of the query PyPi used to make this determination. Over the last 6 months, atomicwrites was downloaded 38,497,903 times, good for just under #400 by rank.<p>[1] <a href="https://old.reddit.com/r/Python/comments/vuh41q/pypi_moves_to_require_2fa_for_critical_projects" rel="nofollow">https://old.reddit.com/r/Python/comments/vuh41q/pypi_moves_t...</a>
[2] <a href="https://gist.github.com/jack1142/efe5c89b861a41616aaf858783835eed" rel="nofollow">https://gist.github.com/jack1142/efe5c89b861a41616aaf8587838...</a>