Differences between revisions 14 and 34 (spanning 20 versions)
Revision 14 as of 2018-03-15 03:01:11
Size: 4294
Comment: update to security policy per https://github.com/pypa/warehouse/pull/3258
Revision 34 as of 2019-08-15 21:22:16
Size: 9013
Comment: fix obsolete mention of single 2FA method
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
= Help us test PyPI! =
Warehouse is a next-generation Python Package Repository which will replace the existing code base that currently powers[[https://pypi.python.org/|PyPI]] ([[https://github.com/pypa/warehouse|source code on GitHub]],[[https://wiki.python.org/psf/WarehouseRoadmap|roadmap]]). We are seeking maintainers of Projects on PyPI to test it and send us bug reports.
= Help us test PyPI's authentication improvements! =
Warehouse is the code behind the Python Package Repository ([[https://pypi.org/|PyPI]]). We are seeking maintainers of Projects on PyPI to test our new security improvements while they're in beta and send us bug reports. Please help us shake the bugs out!
Line 5: Line 5:
Since Warehouse must be a reimplementation of the existing PyPI, please focus on any differences, missing features, or incorrect behavior that is exhibited on pypi.org that affect your workflows for account management and package maintainership initially. We'll be soliciting feedback on other concerns soon! Feedback on user experience, accessibility, and overall ease of use are welcome. Go to [[https://pypi.org/|the pre-production deployment at https://pypi.org/]] and try it out! Feedback on user experience, accessibility, and overall ease of use are welcome; we want to support your workflows for account management and package maintainership. Go to [[https://pypi.org/manage/account/#two-factor|your account settings]] and try it out!
Line 11: Line 11:
 * You must verify your primary email address on your Test PyPI and PyPI accounts before setting up 2FA or an API token.
Line 13: Line 14:
== Changes we're making ==
To increase the security of PyPI downloads, we're introducing a few improvements:

=== Two-factor authentication ===

[[https://pypi.org/help/#twofa|two-factor authentication (2FA)]] is a new login security option.

You can use 2FA right now on [[http://test.pypi.org/|Test PyPI]] and on [[https://pypi.org|official PyPI]]. PyPI currently supports two 2FA methods. One is generating a code through a Time-based One-time Password (TOTP) application. After you set up 2FA on your PyPI account, then you must provide a TOTP (along with your username and password) to log in. Therefore, to use 2FA on PyPI, you'll need to provision an application (usually a mobile phone app) in order to generate authentication codes; see below for suggestions and pointers. This feature is fully deployed and out of beta.

'''In beta:''' We support !WebAuthn and thus "security keys". A security key (also known as a universal second factor, or U2F key) is hardware device that communicates via USB, NFC, or Bluetooth. Popular keys include Yubikey, Google Titan and Thetis. PyPI supports any [[https://fidoalliance.org/specifications/download/|FIDO U2F compatible key]] and follows the [[https://www.w3.org/TR/webauthn/|!WebAuthn standard]]. Users who have set up this second factor will be prompted to use their key (usually by inserting it into a USB port and pressing a button) when logging in. The !WebAuthn support is '''in beta''' so check the "caution" warning below.

Two-factor authentication currently only applies to the login step, not package uploads.

=== Upload API tokens ===

We're adding scoped API tokens so you can upload a package using a token instead of a username and password.

'''In beta:''' You can create and use API tokens to upload packages. API tokens provide an alternative way (instead of username and password) to authenticate when uploading packages to PyPI or Test PyPI. You can create a token for an entire PyPI account, in which case, the token will work for all projects associated with that account. Alternatively, you can limit a token's scope to a specific project. And then, manually or in your configuration file, when you upload, use `@token` for the username and the token string for the password. API token support is '''in beta''' so check the "caution" warning below.

=== Audit log ===

We're adding a display so you can look at things that have happened in your user account or project, and check for signs someone's stolen your credentials.

You can view a log of sensitive actions from the last two weeks that are relevant to your user account, and if you are an Owner at least one project on PyPI, you can view a log of sensitive actions (performed by ANY user) relevant to projects you're an Owner for. (And PyPI administrators are able to view the full audit log.)

'''In beta:''' We're still refining this, so check the "caution" warning below. And the sensitive event logging and display starting on 16 August 2019, so you won't see sensitive events from before that date.
Line 14: Line 42:
Most of these you can test [[http://pypi.org/|on pypi.org]], using the same login as you use on [[http://pypi.python.org|pypi.python.org]] (legacy PyPI). For testing destructive actions, like removing an owner, deleting a project, or deleting a release, please use [[https://test.pypi.org/|test.pypi.org]]. Most of these you can test [[https://pypi.org/manage/account/#two-factor|on pypi.org]]. For testing destructive actions, like removing an owner or deleting a project, please use [[https://test.pypi.org/manage/account/#two-factor|test.pypi.org]].

=== Caution (before you test) ===
During this beta testing period, if things go awry, there's a chance we will need to wipe !WebAuthn and API tokens from users' accounts, so if you choose to try it, please be forewarned. That's why you need a PyPI-verified email address on [[https://pypi.org/manage/account/|your user account]] before adding a second login auth factor, to make potential account recovery smoother.

We may also fail to log, or to properly display, events in the audit log.

Reminder! Sign up for the [[https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/|PyPI Announcement Mailing List]] to be kept in the loop as we continue this process!
Line 17: Line 52:
 * Add/Remove Maintainer
 * Add/Remove Owner
 * Transition Ownership
 * Verify primary email address: check that the user log lists the event
 * Add, disable, and remove 2FA token using TOTP: check that the user log lists the events
 * Add, disable, and remove 2FA token using U2F (!WebAuthn): check that the user log lists the events
 * Login/Logout
 * Set multiple 2FA tokens and login: check that the user log lists the events
 * Add and remove project-scoped API token, and verify that you see this in the user log
 * Add and remove user-scoped API token, and verify that you see this in the user log
 * Upload a package using API token, and verify that you see this in the project log
 * Remove a user from owner/maintainer status for a project, and verify that their API token for that project stops working and that the project log lists the event
 * Delete a release from a project: verify that the project log lists the event
 * Delete a project, and verify that an API token scoped for that project stops working
Line 21: Line 64:
 * Login/Logout
 * Password Reset
 * Remove a project
 * Remove a release
 * View Journals for a Project
 * View Journals for a Release
 * Password Reset: check that the user log lists the event
Line 28: Line 66:
== Security == === Testers we need ===
In particular, please help us test this if any of these apply to you:

 * automate uploads using continuous integration
 * save your PyPI credentials in [[https://packaging.python.org/guides/distributing-packages-using-setuptools/#create-an-account|a `.pypirc` file]]
 * use Windows
 * usually visit PyPI on a mobile device
 * are an organization where users share an auth token within a group
 * have 4+ maintainers or owners for one project
 * use an unusual TOTP app or U2F token
 * have a slow Internet connection
 * usually block cookies and !JavaScript (note that you can't set up a U2F key without !JavaScript)
 * maintain 20+ projects
 * created your PyPI account 6+ years ago

=== Setting up a TOTP application ===
See [[https://pypi.org/help/#totp|our help docs]] for guidance on choosing a TOTP app for desktop or mobile.

=== Setting up a U2F security key ===
See [[https://pypi.org/help/#utfkey|our help docs]] for guidance on setting up your U2F security key. Please note that you cannot set up or use U2F for a second factor without turning on !JavaScript, and that [[https://github.com/pypa/warehouse/issues/6034|right now we only support Chrome, Edge, and Firefox]].

=== Provisioning and using API Tokens ===
See [[https://pypi.org/help/#apitoken|our help docs]] for guidance on provisioning and using API Tokens. You can create a token that allows uploads for all projects your user account has Maintainer or Owner access to, or scope it to a specific project.

== Security bugs ==
Line 31: Line 93:
== IRC livechat hours ==
Warehouse developers will be in IRC, in [[https://webchat.freenode.net/?channels=#pypa-dev|#pypa-dev on Freenode]], and available to talk about problems you run into, or about how to hack on Warehouse:

 1. Tuesday Feb 27th: [[https://www.timeanddate.com/worldclock/meetingdetails.html?year=2018&month=2&day=27&hour=17&min=0&sec=0&p1=24&p2=198&p3=90|1700 UTC / noon-1pm EST]]
 1. Tuesday Feb 27th: [[https://www.timeanddate.com/worldclock/meetingdetails.html?year=2018&month=2&day=27&hour=23&min=0&sec=0&p1=24&p2=198&p3=90|2300 UTC / 6pm-7pm EST]]
 1. Thursday March 1st: [[https://www.timeanddate.com/worldclock/meetingdetails.html?year=2018&month=3&day=1&hour=17&min=0&sec=0&p1=24&p2=198&p3=90|1700 UTC / noon-1pm EST]]
 1. Thursday March 1st: [[https://www.timeanddate.com/worldclock/meetingdetails.html?year=2018&month=3&day=1&hour=23&min=0&sec=0&p1=24&p2=198&p3=90%20|2300 UTC / 6pm-7pm EST]]

Feel free to drop in!

== Notice ==
We're working hard on nearly every aspect of the Warehouse codebase to get it ready for production deployment and are shipping features nearly every day, so check back and maybe even try using https://pypi.org for your maintainer activities full time. Due to the rate of change some errors, downtime, and outright broken features may occur. We have some automated reporting of the scenarios in place, but let us know!

Reminder! Sign up for the [[https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/|PyPI Announcement Mailing List]] to be kept in the loop as we continue this process!
== Our next steps ==
Once we fix all the urgent bugs we find, we'll remove the "beta" badge for each feature. Then we expect to move on to working on further security, accessibility, and internationalization tasks per [[https://wiki.python.org/psf/WarehouseRoadmap|the Warehouse roadmap]]). Thanks to the Open Technology Fund for funding this work. More progress reports at [[https://wiki.python.org/psf/PackagingWG|the Packaging Working Group's wiki page]].
Line 51: Line 101:
IRC: [[https://webchat.freenode.net/?channels=#pypa-dev|#pypa-dev on Freenode]] (someone's usually there 10am-5pm Central Time on weekdays, or come to the [[#IRC_livechat_hours|livechat hours]]) IRC: [[https://webchat.freenode.net/?channels=#pypa-dev|#pypa-dev on Freenode]] (someone's usually there 10am-5pm Central Time on weekdays)
Line 53: Line 103:
Email: [[https://groups.google.com/forum/#!forum/pypa-dev|pypa-dev mailing list]] Email: [[https://mail.python.org/mailman3/lists/distutils-sig.python.org/|distutils-sig mailing list]]
Line 55: Line 105:
Thank you for testing Warehouse! You're helping us launch sooner and future users of PyPI will appreciate it. :) Thank you for testing Warehouse! You're helping us secure this ecosystem, and future users of PyPI will appreciate it. :)

Help us test PyPI's authentication improvements!

Warehouse is the code behind the Python Package Repository (PyPI). We are seeking maintainers of Projects on PyPI to test our new security improvements while they're in beta and send us bug reports. Please help us shake the bugs out!

Feedback on user experience, accessibility, and overall ease of use are welcome; we want to support your workflows for account management and package maintainership. Go to your account settings and try it out!

Guidelines for Particpation

  • By participating, you agree to abide by the PyPA Code of Conduct.

  • You must verify your primary email address on your Test PyPI and PyPI accounts before setting up 2FA or an API token.
  • You should sign up for the PyPI Announcement Mailing List for updates.

Changes we're making

To increase the security of PyPI downloads, we're introducing a few improvements:

Two-factor authentication

two-factor authentication (2FA) is a new login security option.

You can use 2FA right now on Test PyPI and on official PyPI. PyPI currently supports two 2FA methods. One is generating a code through a Time-based One-time Password (TOTP) application. After you set up 2FA on your PyPI account, then you must provide a TOTP (along with your username and password) to log in. Therefore, to use 2FA on PyPI, you'll need to provision an application (usually a mobile phone app) in order to generate authentication codes; see below for suggestions and pointers. This feature is fully deployed and out of beta.

In beta: We support WebAuthn and thus "security keys". A security key (also known as a universal second factor, or U2F key) is hardware device that communicates via USB, NFC, or Bluetooth. Popular keys include Yubikey, Google Titan and Thetis. PyPI supports any FIDO U2F compatible key and follows the !WebAuthn standard. Users who have set up this second factor will be prompted to use their key (usually by inserting it into a USB port and pressing a button) when logging in. The WebAuthn support is in beta so check the "caution" warning below.

Two-factor authentication currently only applies to the login step, not package uploads.

Upload API tokens

We're adding scoped API tokens so you can upload a package using a token instead of a username and password.

In beta: You can create and use API tokens to upload packages. API tokens provide an alternative way (instead of username and password) to authenticate when uploading packages to PyPI or Test PyPI. You can create a token for an entire PyPI account, in which case, the token will work for all projects associated with that account. Alternatively, you can limit a token's scope to a specific project. And then, manually or in your configuration file, when you upload, use @token for the username and the token string for the password. API token support is in beta so check the "caution" warning below.

Audit log

We're adding a display so you can look at things that have happened in your user account or project, and check for signs someone's stolen your credentials.

You can view a log of sensitive actions from the last two weeks that are relevant to your user account, and if you are an Owner at least one project on PyPI, you can view a log of sensitive actions (performed by ANY user) relevant to projects you're an Owner for. (And PyPI administrators are able to view the full audit log.)

In beta: We're still refining this, so check the "caution" warning below. And the sensitive event logging and display starting on 16 August 2019, so you won't see sensitive events from before that date.

Things to test

Most of these you can test on pypi.org. For testing destructive actions, like removing an owner or deleting a project, please use test.pypi.org.

Caution (before you test)

During this beta testing period, if things go awry, there's a chance we will need to wipe WebAuthn and API tokens from users' accounts, so if you choose to try it, please be forewarned. That's why you need a PyPI-verified email address on your user account before adding a second login auth factor, to make potential account recovery smoother.

We may also fail to log, or to properly display, events in the audit log.

Reminder! Sign up for the PyPI Announcement Mailing List to be kept in the loop as we continue this process!

Workflows

  • Verify primary email address: check that the user log lists the event
  • Add, disable, and remove 2FA token using TOTP: check that the user log lists the events
  • Add, disable, and remove 2FA token using U2F (WebAuthn): check that the user log lists the events

  • Login/Logout
  • Set multiple 2FA tokens and login: check that the user log lists the events
  • Add and remove project-scoped API token, and verify that you see this in the user log
  • Add and remove user-scoped API token, and verify that you see this in the user log
  • Upload a package using API token, and verify that you see this in the project log
  • Remove a user from owner/maintainer status for a project, and verify that their API token for that project stops working and that the project log lists the event
  • Delete a release from a project: verify that the project log lists the event
  • Delete a project, and verify that an API token scoped for that project stops working
  • User Registration and Confirmation
  • Password Reset: check that the user log lists the event

Testers we need

In particular, please help us test this if any of these apply to you:

  • automate uploads using continuous integration
  • save your PyPI credentials in a `.pypirc` file

  • use Windows
  • usually visit PyPI on a mobile device
  • are an organization where users share an auth token within a group
  • have 4+ maintainers or owners for one project
  • use an unusual TOTP app or U2F token
  • have a slow Internet connection
  • usually block cookies and JavaScript (note that you can't set up a U2F key without JavaScript)

  • maintain 20+ projects
  • created your PyPI account 6+ years ago

Setting up a TOTP application

See our help docs for guidance on choosing a TOTP app for desktop or mobile.

Setting up a U2F security key

See our help docs for guidance on setting up your U2F security key. Please note that you cannot set up or use U2F for a second factor without turning on JavaScript, and that right now we only support Chrome, Edge, and Firefox.

Provisioning and using API Tokens

See our help docs for guidance on provisioning and using API Tokens. You can create a token that allows uploads for all projects your user account has Maintainer or Owner access to, or scope it to a specific project.

Security bugs

If you find any potential security vulnerabilities, please follow our published security policy. Please don't report security issues in Warehouse via GitHub, IRC, or mailing lists. Instead, please directly email one or more of our maintainers.

Our next steps

Once we fix all the urgent bugs we find, we'll remove the "beta" badge for each feature. Then we expect to move on to working on further security, accessibility, and internationalization tasks per the Warehouse roadmap). Thanks to the Open Technology Fund for funding this work. More progress reports at the Packaging Working Group's wiki page.

Contact us

Security issues: email security @ python dot org

GitHub for all other bug reports & feature requests:https://github.com/pypa/warehouse/issues/new

IRC: #pypa-dev on Freenode (someone's usually there 10am-5pm Central Time on weekdays)

Email: distutils-sig mailing list

Thank you for testing Warehouse! You're helping us secure this ecosystem, and future users of PyPI will appreciate it. :)

WarehousePackageMaintainerTesting (last edited 2019-08-15 21:22:16 by SumanaHarihareswara)

Unable to view page? See the FrontPage for instructions.