Hacker News new | ask | show | jobs
by guappa 588 days ago
I think since when they have 2FA PyPI is less secure.

Before I could learn my password and type it on twine. If my machine was stolen no upload on pypi was possible.

Now it's a token file on my disk so if my machine is stolen, then token can be used to publish.

Using github to publish doesn't change anything: if my machine is stolen the token needed to publish is still there, but instead of directly to pypi it will need to go via github first.
1 comments
amelius 588 days ago
Tokens are a problem too (a yubikey might be a solution).

But an attacker could simply edit the source code on the maintainer's machine directly, and it could go unnoticed.

link
guappa 584 days ago
> Tokens are a problem too (a yubikey might be a solution).

Not the way they implement things. When they started forcing people to use 2FA, google also made a titan keys giveaway. But you set it up on your account, generate a token and that's it.

Identical situation on github. Setup 2FA with an hardware key, then generate a token and never use the hardware key ever again.

link
cpburns2009 588 days ago
I doubt Yubikey would help without some fancy setup. 2FA is required to sign into PyPI but that's it. When PyPI rolled it out I thought you'd have to use 2FA every time you publish. I thought they were taking security seriously. But no, you get your API token, save it to your computer, forget about it, and you can publish your packages forever. Now you can have Github automatically publish your packages. That's not any improvement to security. My Google security key is just collecting dust.
link
amelius 587 days ago
I'm now thinking about a system that can enforce that any line of code committed to the Git repo has been on the user's screen for at least X seconds. It could be a system completely isolated from the computer on which code is entered (e.g. via the HDMI cable).
link
guappa 584 days ago
How could you ever enforce that?
link
guappa 584 days ago
Eh mine too. I got it because I had an essential package or whatever when they started forcing 2FA to people, and I thought twine would require me to authenticate with the key to be authorised to publish.

But they didn't touch twine at all. They just made me create a token and save it in a .txt file. That's it.

link