Log file Viewer

[03:43:01] <lb5tr> Hello

[13:48:38] <sumanah> woodruffw: hey -- I'm polishing https://wiki.python.org/psf/WarehousePackageMaintainerTesting before sending off the announcement I am nearly done drafting in https://github.com/pypa/warehouse/issues/5661#issuecomment-488098029

[14:03:46] <sumanah> "we're beginning to introduce two-factor authentication (2FA) as a login security option for project maintainers and owners" -- changing this since I assume all users can do this, not just project maintainers/owners woodruffw

[14:37:08] <sumanah> dstufft: di_codes: EWDurbin woodruffw ok, I've made a bunch of edits, I'm gonna start sending this out etc

[14:37:16] <sumanah> I feel pretty confident in the current text

[14:58:39] <sumanah> sent to pypi-announce

[15:13:28] <lb5tr> Hey folks

[15:13:43] <lb5tr> I'm researching topic of detecting typosquatting in open source package managers

[15:14:00] <lb5tr> do you have any ongoing efforts going in that direction?

[15:16:59] <sumanah> Hi lb5tr

[15:17:35] <sumanah> lb5tr: so you might have seen https://pyfound.blogspot.com/2019/03/commencing-security-accessibility-and.html

[15:17:59] <sumanah> lb5tr: and https://pyfound.blogspot.com/2018/12/upcoming-pypi-improvements-for-2019.html

[15:18:09] <sumanah> the latter mentions:

[15:18:14] <sumanah> 'The PSF Packaging Working Group plans to use these funds to implement highly requested security features in PyPI such as cryptographic signing and verification of files uploaded and installed from the index. Additionally, systems for the automated detection of malicious uploads will lower the time to response and improve the resiliency of PyPI against attacks such as “pytosquatting”.'

[15:18:52] <lb5tr> neat!

[15:18:52] <sumanah> lb5tr: right now we are working on two-factor auth and in fact just today announced https://mail.python.org/archives/list/pypi-announce@python.org/thread/YTZWD5H4H3VCQTQVPRDLH2TTHVTJS7JQ/ and https://twitter.com/ThePyPA/status/1123968122925527041 are up. 2-factor auth on PyPI is on the way

[15:19:01] <sumanah> !logs

[15:19:01] <pmxbot> http://kafka.dcpython.org/channel/pypa-dev

[15:19:16] <lb5tr> but there are no design specs for the "pytosquatting" yet i assume?

[15:19:57] <sumanah> lb5tr: have you already searched the http://github.com/pypa/warehouse/ issue list for stuff about this? that is what I am about to do

[15:20:13] <lb5tr> I didn't

[15:20:17] <lb5tr> but I will

[15:20:18] <lb5tr> thanks!

[15:20:46] <sumanah> it looks like we already did some work on this in 2017 https://github.com/pypa/warehouse/issues/2151

[15:20:48] <lb5tr> there are some issues opened, will look into those

[15:22:03] <lb5tr> I created a prototype system that looks for similar sounding packages

[15:22:18] <lb5tr> and then compares the structure of such packages source distribution

[15:23:01] <lb5tr> now i'm in the process of writing a paper about it

[15:23:26] <lb5tr> and started to wonder if there are some efforts going on already

[15:23:44] <lb5tr> (probably should have done so earlier: ))

[15:26:47] <sumanah> so often happens that way :)

[15:27:03] <sumanah> lb5tr: are you at PyCon in Cleveland this weekend?

[15:27:11] <lb5tr> no :(

[15:27:18] <lb5tr> I work in Seattle

[15:36:09] <sumanah> lb5tr: I hear PyCascades is cool

[15:51:43] <lb5tr> I'll try it next year, thanks

[15:56:35] <jaraco> A question I’d like to see answered on the wiki - is 2FA required for uploads? What does this imply for automated/CI-driven release workflows?

[15:57:25] <jaraco> If the answer isn’t yet known, I can investigate this weekend.