Open pfmoore opened 1 year ago
pradyunsg
commented
1 year ago I reckon this will end up being multiple pieces of documentation around this topic… and it would certainly be valuable to document these things from the perspective of an end user as well as a publisher who wishes/needs to care about this topic.
pradyunsg
commented
11 months ago FYI @sethmlarson, as the author of https://github.com/sethmlarson/secure-python-package-template/ and also https://sethmlarson.dev/security-developer-in-residence :)
sethmlarson
commented
11 months ago @pradyunsg This is definitely on my list. Thanks for tagging me on an existing issue! 🚀
Originally raised as https://github.com/pypi/warehouse/issues/12244 but they asked me to open it here instead. See that issue for the background.
What's the problem this feature will solve? Many projects on PyPI are relied on by significant numbers of consumers. And supply chain integrity and the risks involved are very high profile these days - with little or no consideration being given to the fact that many developers are hobbyists, and have no real experience in securing high-value software. In particular, the average developer may not have sufficient knowledge or understanding of security practices and terminology in order to maintain their accounts securely.
Describe the solution you'd like Documentation of good security practices for password management, use of 2FA and other tools such as biometrics, OS-level identity management, etc. This should be written for the end user, explicitly avoiding technical terms such as "webauthn" or "TOTP" in favour of descriptions that developers can relate to their working environment. In particular, care should be taken not to assume that users understand web application development, and may well be "scared off" certain technologies by reports in the media of hacking.
Documentation should cover:
The documentation should be specific, recommending actual tools and devices, and should not assume that the reader is necessarily interested in doing their own research.
Additional context Users working on Python projects as a hobby are unlikely to want to set up a complex software management environment, so advice on how to set up a minimal system, using as much as possible OS-supplied or commonly available components, would be important.
Ideally, the document should not be restricted to just securing PyPI credentials, but should cover the whole software development supply chain, including github, CI and automated builds, etc. It is important to have one definitive document that covers everything, and offers consistent[^1] and unified recommendations. If that means that this should not be hosted as part of the PyPI documentation, but somewhere else (as a blog post, or "best practices" document somewhere) and linked from the PyPI docs, then I'm fine with that.
See the thread starting at https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/51 for further context.
[^1]: A PyPI document recommending a tool that doesn't work with (say) github, is no use, as it simply leaves me having to manage multiple tools/devices with no good information on how to unify them.