undefined | Better HN

0 pointswoodruffw3y ago0 comments

There are many weights involved; PyPI is trying to strike a balance between them.

Among them:

* Project installs follow a power law distribution: the top 1% of packages account for 99% of installations, and the remaining 99% account for roughly 1% of installations. In other words: prioritizing the security of the 1% of packagers means prioritizing the 99% of users who depend on those critical projects.

* PyPI has tried really hard to make 2FA as effortless and non-invasive as possible: the current program includes giving away two free physical hardware tokens, as well as a long grace period to ensure that maintainers are not caught in a sudden lurch between their open source and professional obligations. Both of these don't work at scale: PyPI doesn't have the material resources to give every maintainer free hardware tokens, and the same packaging power law means that a large number of relatively inactive maintainers will be caught by any deadline that gets set.

Ultimately, the goal is to maximize the number of users protected, maximize the quality of protection, prevent package user disruption, and minimize maintainer disruption. The current scheme, in my view, does a good job at achieving all of these goals.

FD: I worked on PyPI's 2FA implementation, but I do not represent PyPI and am not a maintainer.

0 comments

1 comments · 1 top-level

woodruffwOP3y ago

I forgot to mention another weight: maintainer time. A universal 2FA mandate would drastically increase the amount of support time maintainers spend helping users recover their accounts (a perverse problem to have!).

j / k navigate · click thread line to collapse