<p><span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> something I find useful to keep in mind, for myself, is that I&#39;m in technology because it is an almost unbounded force multiplier</p><p>between various packages, software I wrote has been downloaded over _eight billion_ times</p><p>that&#39;s a lot of potential for malice.</p>

<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> I hope it&#39;s something good.</p>

<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> I only have a small peek behind the curtain here (I am not involved, just friends with many people who are). before I start describing vague background vibes, have you read all the official comms? <a href="https://blog.pypi.org/posts/2024-01-01-2fa-enforced/" target="_blank" rel="nofollow noopener" translate="no"><span class="invisible">https://</span><span class="ellipsis">blog.pypi.org/posts/2024-01-01</span><span class="invisible">-2fa-enforced/</span></a></p>

<p><span class="h-card" translate="no"><a href="https://fosstodon.org/@deshipu" class="u-url mention">@<span>deshipu</span></a></span> reading this made me reach for alcohol</p>

<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> seriously, just stuff it in a single .exe file with py2exe and run it with wine, it&#39;s the only cross platform way</p>

<p><span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> I actually have no idea what was the decisionmaking behind PyPI&#39;s decisions and if I had to guess I would feel that some industry pressure probably came into it. do you know what the reasoning was? I&#39;d be interested</p>

<p><span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> actually, speaking of PyPI, the (suspiciously named) Trusted Publishing thing that PyPI &amp; GitHub are doing is actually lifting a lot of the pressure off me related to being used as an attack vector</p><p>being able to<br />(a) publish releases from a CI builder, bypassing my local machine entirely, and<br />(b) confirm that the release was built from an authentic git commit<br />removes a lot of reasons for previously manually running `twine upload` from a machine i&#39;ve used for 10+ years</p>

<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> but I do think it&#39;s illuminating to consider that PyPI, which is run by a nonprofit, stewarded by the community, and has an extremely different set of motivations and constraints, came to more or less the exact same conclusion as Microsoft (née Github) did, which I think at least *hints* at a real problem that bears consideration here</p>

<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> the last public talk I gave was kinda about this :) and it&#39;s very complicated and nuanced, with a lot of moving parts, a lot fo which have to do with how permission primitives work with respect to code execution on pretty much every modern platform.</p>