|
Size: 2659
Comment: first draft of testing landing page
|
Size: 7249
Comment: updates for API token testing
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = Help us test PyPI! = ['''This page is a draft''' and ''not to be used/publicized'' until we close out [[https://github.com/pypa/warehouse/milestone/8|the Maintainer MVP milestone]]. That'll probably be in late February 2018.] |
#language en = Help us test PyPI's authentication improvements! = Warehouse is the code behind the Python Package Repository ([[https://pypi.org/|PyPI]]). We are seeking maintainers of Projects on PyPI to test our new [[https://pypi.org/help/#twofa|two-factor auth]] and API token functionality and send us bug reports. !WebAuthn support and API tokens are in beta; please help us shake the bugs out! |
| Line 4: | Line 5: |
| Warehouse is a next-generation Python Package Repository designed to replace the legacy code base that currently powers [[https://pypi.python.org/|PyPI]] ([[https://github.com/pypa/pypi-legacy/|source code on GitHub]], [[https://wiki.python.org/psf/WarehouseRoadmap|roadmap]]). If you maintain a package on PyPI, we'd love for you to test it and send us bug reports. Go to [[https://pypi.org/|the pre-production deployment at https://pypi.org/]] and try it out! | Feedback on user experience, accessibility, and overall ease of use are welcome; we want to support your workflows for account management and package maintainership. Go to [[https://pypi.org/manage/account/#two-factor|your account settings]] and try it out! <<TableOfContents()>> == Guidelines for Particpation == * By participating, you agree to abide by the [[https://www.pypa.io/en/latest/code-of-conduct/|PyPA Code of Conduct]]. * You must verify your primary email address on your Test PyPI and PyPI accounts before setting up 2FA or an API token. * You should sign up for the [[https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/|PyPI Announcement Mailing List]] for updates. == Changes we're making == To increase the security of PyPI downloads, we're beginning to introduce [[https://pypi.org/help/#twofa|two-factor authentication (2FA)]] as a login security option, and we're adding scoped API tokens so you can upload a package using a token instead of a username and password. You can use 2FA right now on [[http://test.pypi.org/|Test PyPI]] and on [[https://pypi.org|official PyPI]]. PyPI currently supports a single 2FA method: generating a code through a Time-based One-time Password (TOTP) application. After you set up 2FA on your PyPI account, then you must provide a TOTP (along with your username and password) to log in. Therefore, to use 2FA on PyPI, you'll need to provision an application (usually a mobile phone app) in order to generate authentication codes; see below for suggestions and pointers. '''In beta:''' We support !WebAuthn and thus "security keys". A security key (also known as a universal second factor, or U2F key) is hardware device that communicates via USB, NFC, or Bluetooth. Popular keys include Yubikey, Google Titan and Thetis. PyPI supports any [[https://fidoalliance.org/specifications/download/|FIDO U2F compatible key]] and follows the [[https://www.w3.org/TR/webauthn/|!WebAuthn standard]]. Users who have set up this second factor will be prompted to use their key (usually by inserting it into a USB port and pressing a button) when logging in. The !WebAuthn support is '''in beta''' so check the "caution" warning below. Two-factor authentication currently only applies to the login step, not package uploads. '''In beta:''' Starting '''DATE TK''', we'll give users the ability to create and use API tokens to upload packages. API tokens provide an alternative way (instead of username and password) to authenticate when uploading packages to PyPI or Test PyPI. You can create a token for an entire PyPI account, in which case, the token will work for all projects associated with that account. Alternatively, you can limit a token's scope to a specific project. And then, manually or in your configuration file, when you upload, use `@token` for the username and the token string for the password. API token support is '''in beta''' so check the "caution" warning below. |
| Line 7: | Line 27: |
| * [[https://packaging.python.org/guides/migrating-to-pypi-org/|Upgrade your versions of twine and setuptools]] * [[https://packaging.python.org/guides/using-testpypi/|Upload a test package to Test PyPI]] * Check whether the project description, release history, download files, project links, maintainers, tags, and classifiers for your project on testpypi.org work correctly ([[https://test.pypi.org/project/1234_hello_world/|example]]) * [[https://packaging.python.org/tutorials/installing-packages/#installing-from-other-indexes|Use pip to install a package from PyPI.org]] * [[https://packaging.python.org/tutorials/distributing-packages/|Upload a new release of your package to PyPI.org]] |
Most of these you can test [[https://pypi.org/manage/account/#two-factor|on pypi.org]]. For testing destructive actions, like removing an owner, deleting a project, or deleting a release, please use [[https://test.pypi.org/manage/account/#two-factor|test.pypi.org]]. |
| Line 13: | Line 29: |
| == Known issues == [[https://github.com/pypa/warehouse/issues|On GitHub.]] Overview: |
=== Caution (before you test) === |
| Line 16: | Line 31: |
| * trove classifier issues * general user account polish, e.g., [[https://github.com/pypa/warehouse/issues/2887|can't recover account by email]] and [[https://github.com/pypa/warehouse/issues/2065|no confirmation email on new account registration]] * until [[https://www.python.org/dev/peps/pep-0541/|PEP 541]] is accepted, we don't have a policy to help us change ownership of package names * version sorting issues * [[https://github.com/pypa/warehouse/issues/2285|confusing "/legacy" URL]] * [[https://github.com/pypa/warehouse/issues/582|deleting legacy documentation]] * [[https://github.com/pypa/warehouse/issues/869|no Markdown support]] * [[https://github.com/pypa/warehouse/issues/1453|localization]] |
During this beta testing period, if things go awry, there's a chance we will need to wipe !WebAuthn tokens from users' accounts, so if you choose to try it, please be forewarned. That's why you need a PyPI-verified email address on [[https://pypi.org/manage/account/|your user account]] before adding a second login auth factor, to make potential account recovery smoother. Reminder! Sign up for the [[https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/|PyPI Announcement Mailing List]] to be kept in the loop as we continue this process! === Workflows === * Verify primary email address * Add, disable, and remove 2FA token using TOTP * Add, disable, and remove 2FA token using U2F (!WebAuthn) * Login/Logout * Set multiple 2FA tokens and login * Add and remove project-scoped API token * Add and remove user-scoped API token * Upload a package using API token * User Registration and Confirmation * Password Reset === Testers we need === In particular, please help us test this if any of these apply to you: * automate uploads using continuous integration * save your PyPI credentials in [[https://packaging.python.org/guides/distributing-packages-using-setuptools/#create-an-account|a `.pypirc` file]] * use Windows * usually visit PyPI on a mobile device * are an organization where users share an auth token within a group * have 4+ maintainers or owners for one project * use an unusual TOTP app or U2F token * have a slow Internet connection * usually block cookies and !JavaScript (note that you can't set up a U2F key without !JavaScript) * maintain 20+ projects * created your PyPI account 6+ years ago === Setting up a TOTP application === See [[https://pypi.org/help/#totp|our help docs]] for guidance on choosing a TOTP app for desktop or mobile. === Setting up a U2F security key === See [[https://pypi.org/help/#utfkey|our help docs]] for guidance on setting up your U2F security key. Please note that you cannot set up or use U2F for a second factor without turning on !JavaScript, and that [[https://github.com/pypa/warehouse/issues/6034|right now we only support Chrome, Edge, and Firefox]]. == Security bugs == If you find any potential security vulnerabilities, please [[https://pypi.org/security/|follow our published security policy]]. Please don't report security issues in Warehouse via !GitHub, IRC, or mailing lists. Instead, please directly email one or more of our maintainers. == Our next steps == Once we fix all the urgent bugs we find, we'll remove the "beta" badge for each feature. Then we expect to move on to working on further security, accessibility, and internationalization tasks per [[https://wiki.python.org/psf/WarehouseRoadmap|the Warehouse roadmap]]). Thanks to the Open Technology Fund for funding this work. More progress reports at [[https://wiki.python.org/psf/PackagingWG|the Packaging Working Group's wiki page]]. |
| Line 26: | Line 79: |
| GitHub: https://github.com/pypa/warehouse/issues/new | Security issues: [[https://pypi.org/security/|email security @ python dot org]] |
| Line 28: | Line 81: |
| IRC: [[https://webchat.freenode.net/?channels=%23pypa-dev|#pypa-dev on Freenode]] (someone's usually there 10am-5pm Central Time on weekdays) | !GitHub for all other bug reports & feature requests:https://github.com/pypa/warehouse/issues/new |
| Line 30: | Line 83: |
| Email: [[https://groups.google.com/forum/#!forum/pypa-dev|pypa-dev mailing list]] | IRC: [[https://webchat.freenode.net/?channels=#pypa-dev|#pypa-dev on Freenode]] (someone's usually there 10am-5pm Central Time on weekdays) |
| Line 32: | Line 85: |
| Thank you for testing Warehouse! You're helping us launch sooner and future users of PyPI will appreciate it. :) | Email: [[https://mail.python.org/mailman3/lists/distutils-sig.python.org/|distutils-sig mailing list]] Thank you for testing Warehouse! You're helping us secure this ecosystem, and future users of PyPI will appreciate it. :) |
Help us test PyPI's authentication improvements!
Warehouse is the code behind the Python Package Repository (PyPI). We are seeking maintainers of Projects on PyPI to test our new two-factor auth and API token functionality and send us bug reports. WebAuthn support and API tokens are in beta; please help us shake the bugs out!
Feedback on user experience, accessibility, and overall ease of use are welcome; we want to support your workflows for account management and package maintainership. Go to your account settings and try it out!
Contents
Guidelines for Particpation
By participating, you agree to abide by the PyPA Code of Conduct.
- You must verify your primary email address on your Test PyPI and PyPI accounts before setting up 2FA or an API token.
You should sign up for the PyPI Announcement Mailing List for updates.
Changes we're making
To increase the security of PyPI downloads, we're beginning to introduce two-factor authentication (2FA) as a login security option, and we're adding scoped API tokens so you can upload a package using a token instead of a username and password.
You can use 2FA right now on Test PyPI and on official PyPI. PyPI currently supports a single 2FA method: generating a code through a Time-based One-time Password (TOTP) application. After you set up 2FA on your PyPI account, then you must provide a TOTP (along with your username and password) to log in. Therefore, to use 2FA on PyPI, you'll need to provision an application (usually a mobile phone app) in order to generate authentication codes; see below for suggestions and pointers.
In beta: We support WebAuthn and thus "security keys". A security key (also known as a universal second factor, or U2F key) is hardware device that communicates via USB, NFC, or Bluetooth. Popular keys include Yubikey, Google Titan and Thetis. PyPI supports any FIDO U2F compatible key and follows the !WebAuthn standard. Users who have set up this second factor will be prompted to use their key (usually by inserting it into a USB port and pressing a button) when logging in. The WebAuthn support is in beta so check the "caution" warning below.
Two-factor authentication currently only applies to the login step, not package uploads.
In beta: Starting DATE TK, we'll give users the ability to create and use API tokens to upload packages. API tokens provide an alternative way (instead of username and password) to authenticate when uploading packages to PyPI or Test PyPI. You can create a token for an entire PyPI account, in which case, the token will work for all projects associated with that account. Alternatively, you can limit a token's scope to a specific project. And then, manually or in your configuration file, when you upload, use @token for the username and the token string for the password. API token support is in beta so check the "caution" warning below.
Things to test
Most of these you can test on pypi.org. For testing destructive actions, like removing an owner, deleting a project, or deleting a release, please use test.pypi.org.
Caution (before you test)
During this beta testing period, if things go awry, there's a chance we will need to wipe WebAuthn tokens from users' accounts, so if you choose to try it, please be forewarned. That's why you need a PyPI-verified email address on your user account before adding a second login auth factor, to make potential account recovery smoother.
Reminder! Sign up for the PyPI Announcement Mailing List to be kept in the loop as we continue this process!
Workflows
- Verify primary email address
- Add, disable, and remove 2FA token using TOTP
Add, disable, and remove 2FA token using U2F (WebAuthn)
- Login/Logout
- Set multiple 2FA tokens and login
- Add and remove project-scoped API token
- Add and remove user-scoped API token
- Upload a package using API token
- User Registration and Confirmation
- Password Reset
Testers we need
In particular, please help us test this if any of these apply to you:
- automate uploads using continuous integration
save your PyPI credentials in a `.pypirc` file
- use Windows
- usually visit PyPI on a mobile device
- are an organization where users share an auth token within a group
- have 4+ maintainers or owners for one project
- use an unusual TOTP app or U2F token
- have a slow Internet connection
usually block cookies and JavaScript (note that you can't set up a U2F key without JavaScript)
- maintain 20+ projects
- created your PyPI account 6+ years ago
Setting up a TOTP application
See our help docs for guidance on choosing a TOTP app for desktop or mobile.
Setting up a U2F security key
See our help docs for guidance on setting up your U2F security key. Please note that you cannot set up or use U2F for a second factor without turning on JavaScript, and that right now we only support Chrome, Edge, and Firefox.
Security bugs
If you find any potential security vulnerabilities, please follow our published security policy. Please don't report security issues in Warehouse via GitHub, IRC, or mailing lists. Instead, please directly email one or more of our maintainers.
Our next steps
Once we fix all the urgent bugs we find, we'll remove the "beta" badge for each feature. Then we expect to move on to working on further security, accessibility, and internationalization tasks per the Warehouse roadmap). Thanks to the Open Technology Fund for funding this work. More progress reports at the Packaging Working Group's wiki page.
Contact us
Security issues: email security @ python dot org
GitHub for all other bug reports & feature requests:https://github.com/pypa/warehouse/issues/new
IRC: #pypa-dev on Freenode (someone's usually there 10am-5pm Central Time on weekdays)
Email: distutils-sig mailing list
Thank you for testing Warehouse! You're helping us secure this ecosystem, and future users of PyPI will appreciate it. 