[TheBrokenRail]

I hate these 2FA mandates. I don't use PyPI, but I do use GitHub, which has also announced a 2FA mandate.

I use my GitHub account to make bug reports, small pull requests, and silly personal projects. It is not that important. I want to sacrifice security for convenience on it, and that should be my choice.

I also do not agree with the argument this secures the supply chain because:

1. It ignores supply-chain attacks from people who already have repository access.

2. Most big companies (ie. Google) are probably already using 2FA.

3. And if people are automatically pulling code from random people/groups without checking it... maybe that's what actually needs to be banned.

[CatWChainsaw]

I hate 2FA where it's not needed because it removes the last vestige of anonymous accounts.

[fsociety]

Unfortunately even if you did not pull code from random groups, and instead curated your GitHub dependencies, you can still be caught by surprise when one person has a re-used password and no 2FA because “ugh it’s so inconvenient”.

Nothing will fully secure the supply chain, but this certainly reduces risk and given the impact software has in today’s world it’s important.

[d4mi3n]

I don’t really agree with your sentiment, but the points you make aren’t wrong. The big issue I see is with your last point:

> 3. And if people are automatically pulling code from random people/groups without checking it... maybe that's what actually needs to be banned.

Github does not have control over this but would largely be blamed for the fallout, regardless of how reckless some individuals may be.

The best most orgs can do to avoid liability/risk is usually to make changes to things they control, even if it isn’t the best option.

You see this sort of coping mechanism in all sorts of situations if you start looking for it.