The Python Package Index (PyPI) is far and away the largest and most visible service that the Python Software Foundation (PSF) supports for the Python community. Throughout the project’s 16 year history, it has primarily relied on volunteers and donated services to operate as it grew from an empty repository to one hosting more than 1.1 million releases for over 162,000 projects and serving more than 2.2 petabytes in 13.8 billion requests in the last month.
In November 2017, we announced an award from the Mozilla Open Source Support (MOSS) program that made it possible to launch the ground up rewrite of PyPI’s backend in April of 2018. This milestone has offered lower maintenance overhead and helped put the codebase into a much better state to add new features, improved security, and increased accessibility for users.
While some smaller features have already been proposed, designed, submitted, reviewed, and merged by volunteer contributors, other larger improvements warrant paid work. As 2019 approaches, we are excited to look forward to plans that will help deliver important improvements to the security and accessibility of PyPI.
As a grant-giving non-profit, the Python Software Foundation is grateful to the organizations that make funding this work possible. For 2019 we are glad to have two initiatives in the works.
We’re excited to announce that Facebook has provided the Python Software Foundation with a monetary gift that will be used to fund the development and deployment of enhanced security features to PyPI. As a major Python user, contributor, and supporter, Facebook was impressed with the success of the MOSS award and is enthusiastically assisting with further enhancements to PyPI with this gift.
The PSF Packaging Working Group plans to use these funds to implement highly requested security features in PyPI such as cryptographic signing and verification of files uploaded and installed from the index. Additionally, systems for the automated detection of malicious uploads will lower the time to response and improve the resiliency of PyPI against attacks such as “pytosquatting”.
This work will be undertaken in the second half of 2019 but planning will begin in the second quarter of the year.
Open Technology Fund
The Open Technology Fund (OTF) supports projects and people that develop open and accessible technologies promoting human rights and open societies and help advance inclusive and safe access to global communications networks.
The PSF Packaging Working Group is delighted to have been awarded a contract through the OTF Core Infrastructure Fund to add key security features to PyPI including API keys, multi-factor authentication, and audit logs. Additionally, accessibility and localization features will be a key focus as we ensure service’s ability to support our global community of users.
We plan to begin this work in the first quarter of 2019, if you’re interested in getting involved, keep reading!
If you’re interested in getting involved, you can do so today by responding to our Request for Proposals to fulfill the OTF contract. This RFP will close January 25th, 2019 AoE. If you’re interested in getting involved at a later date to complete the work planned for the Facebook Gift, keep your eyes on this blog, subscribe to the PSF newsletter, or follow us on Twitter.