Wednesday, July 31, 2019

PyPI now supports uploading via API token

We're further increasing the security of the Python Package Index with another new beta feature: scoped API tokens for package upload. This is thanks to a grant from the Open Technology Fund, coordinated by the Packaging Working Group of the Python Software Foundation.

Over the last few months, we've added two-factor authentication (2FA) login security methods. We added Time-based One-Time Password (TOTP) support in late May and physical security device support in mid-June. Now, over 1600 users have started using physical security devices or TOTP applications to better secure their accounts. And over the past week, over 7.8% of logins to PyPI.org have been protected by 2FA, up from 3% in the month of June.

Add API token screen, with textarea for token name and dropdown menu to choose token scope
PyPI interface for adding an
API token for package upload
Now, we have another improvement: you can use API tokens to upload packages to PyPI and Test PyPI! And we've designed the token to be a drop-in replacement for the username and password you already use (warning: this is a beta feature that we need your help to test).

How it works: Go to your PyPI account settings and select "Add API token". When you create an API token, you choose its scope: you can create a token that can upload to all the projects you maintain or own, or you can limit its scope to just one project.


API token management interface displays each token's name, scope, date/time created, and date/time last used, and the user can view each token's unique ID or revoke it
PyPI API token management interface
The token management screen shows you when each of your tokens were created, and last used. And you can revoke one token without revoking others, and without having to change your password on PyPI and in configuration files.

Uploading with an API token is currently optional but encouraged; in the future, PyPI will set and enforce a policy requiring users with two-factor authentication enabled to use API tokens to upload (rather than just their password sans second factor). Watch our announcement mailing list for future details.

A successful API token creation: a long string that only appears once, for the user to copy
Immediately after creating the API token,
PyPI gives the user one chance to copy it

Why: These API tokens can only be used to upload packages to PyPI, and not to log in more generally. This makes it safer to automate package upload and store the credential in the cloud, since a thief who copies the token won't also gain the ability to delete the project, delete old releases, or add or remove collaborators. And, since the token is a long character string (with 32 bytes of entropy and a service identifier) that PyPI has securely generated on the server side, we vastly reduce the potential for credential reuse on other sites and for a bad actor to guess the token.


Help us test: Please try this out! This is a beta feature and we expect that users will find minor issues over the next few weeks; we ask for your bug reports. If you find any potential security vulnerabilities, please follow our published security policy. (Please don't report security issues in Warehouse via GitHub, IRC, or mailing lists. Instead, please directly email security@python.org.) If you find an issue that is not a security vulnerability, please report it via GitHub.

We'd particularly like testing from:
  • Organizations that automate uploads using continuous integration
  • People who save PyPI credentials in a .pypirc file
  • Windows users
  • People on mobile devices
  • People on very slow connections
  • Organizations where users share an auth token within a group
  • Projects with 4+ maintainers or owners
  • People who usually block cookies and JavaScript
  • People who maintain 20+ projects
  • People who created their PyPI account 6+ years ago
What's next for PyPI: Next, we'll move on to working on an advanced audit trail of sensitive user actions, plus improvements to accessibility and localization for PyPI (some of which have already started). More details are in our progress reports on Discourse.

Thanks to the Open Technology Fund for funding this work. And please sign up for the PyPI Announcement Mailing List for future updates.

Thursday, July 11, 2019

2019 PSF Fundraiser - Thank you & debrief



Thank you to all who donated to our 2019 Fundraiser, Building the PSF.  Our fundraiser ended June 30th and we successfully surpassed our goal!

The PSF received over $75,000 in donations!


To learn about how the Python Software Foundation uses its funding, check out our Annual Impact Report: https://www.python.org/psf/annual-report/2019/.

What did we learn from this experience?

Collaborating with a company that supports our mission was a tremendous help. This was our first fundraiser collaborating with another organization. JetBrains sold PyCharm licenses at a discounted rate and donated all of the proceeds to the PSF. This partnership contributed $29,609 to this fundraiser. We thank JetBrains and their entire team for all of the effort and time they put into our fundraiser. This opportunity helped us raise more money and hopefully introduced new people to our community.

Additionally, we learned that having a strong beginning is important to reach our fundraising goal in an appropriate timeframe. Initially, the fundraiser was going to end at the end of May. Because we weren't close to reaching our goal of $60,000, we extended the fundraiser twice. Going forward we will have a better plan in place for an impactful start.

We want to hear from our community. If anyone has any suggestions or comments about our fundraisers, please don't hesitate to reach out. We aim to have an "open door" policy since our fundraisers directly impact our community.

Want to collaborate with the PSF on our next fundraiser?

As you know, the Python Software Foundation is a non-profit organization and depends on sponsorships and donations for revenue, which in turn support sprints, meetups, community events, Python documentation, fiscal sponsorships, software development, and community projects.

The PSF would love to partner with organizations to support our mission and help sustain a vibrant community. By working together, we hope to raise more funding so we can provide more community support! Contact sponsors@python.org for more information!

Tuesday, July 09, 2019

The Python Software Foundation is looking for bloggers!

Interview prominent Pythonistas, connect with the community, expand your circle of friends and learn about events in the Python world!


The Python Software Foundation (PSF) is looking to add bloggers for the PSF blog located at http://pyfound.blogspot.com/. As a PSF blogger, you will work with the PSF Communication Officers to brainstorm blog content, communicate activities, and provide updates on content progression. Example of content includes PSF community service awardee profiles, details about global Python events and PSF grants, or recent goings-on within the PSF itself. One goal of the 2019 - 2020 PSF Board of Directors is to increase transparency around PSF activities by curating more frequent blog content.

The Python Software Foundation is a 501(c)(3) non-profit corporation that holds the intellectual property rights behind the Python programming language. We also run the North American PyCon conference annually, support other Python conferences/workshops around the world, and fund Python related development with our grants program. To see more info on our grants program, please read: https://www.python.org/psf/grants/.


Job Description

  • Capacity to contribute one to two blog posts every three months
  • Passionate about Python and the global Python community
  • Independently report progress and activities to Python Software Foundation Staff and Communication Officers on a monthly basis
  • Actively brainstorm content ideas for blog content individually as well as with Python Software Foundation Staff and Communication Officers

Needed Experience

  • Ability to work independently and on virtual teams
  • Familiarity with Python programming
  • Experience contributing to a technical blog or website in English
  • Professional proficiency in English

Bloggers for the Python Software Foundation receive a fixed fee per post they write.

To apply please email two to three examples of recent articles (e.g. personal blog, contribution to professional publication) written in English as well as a brief description of your writing experience to psf-blog-apply@python.org. Please include in the email subject "PSF Blogger Application - (Your Name)". If you have questions, direct them to psf-blog-apply@python.org as well. The Python Software Foundation will be accepting applications until 11:59:59pm Pacific Standard Time Sunday, September 1, 2019.