'PyPI wants me to enable 2FA just because I maintain this package, and both that and the mess resulting from a stunt of mine, I thought it'd be a good time to deprecate this package. Python 3 has os.replace and os.rename which probably do well enough of a job for most usecases.'
https://github.com/untitaker/python-atomicwrites
Edit:
From the bug report
'I decided to deprecate this package. While I do regret to have deleted the package and did end up enabling 2FA, I think PyPI's sudden change in rules and bizarre behavior wrt package deletion doesn't make it worth my time to maintain Python software of this popularity for free. I'd rather just write code for fun and only worry about supply chain security when I'm actually paid to do so.'
I can see the maintainers point, even if it may be inconvenient.
The system works.
While I am in full support of not asking too much of open source maintainers a cooperative stance makes the overall situation better for everyone involved. This could have been handled in a better way.
It's even easier to just leave 2FA disabled and stop maintaining the project. Which is what they did.
Are maintainers obligated to support their projects indefinitely?
I recently ran into a situation where a very old package caused terrible damage.
I contacted the pypi maintainer. He apologized and promised to fix it. Six months later, no changes.
This was a very unusual situation, as the package was the same name as a module later adopted in the standard library.
The author was under the impression the package was literally uninstallable since the code hadn’t been valid Python for over two decades, including the setup script.
Still wish they would delete it.
And I locked myself out of the first one while (before finishing!) setting up my second, so IMO you need more than two.
(It's not a great story, the tl;dr is I used a different passphrase for the second one, mixed them up, and ploughed through my 3 tries at the passphrase on my first one confident I was getting it right.
I also think that default (Yubikey's) of 3-tries is insanely low, getting it wrong just once is nerve-wracking; how much easier is it to brute-force in 30? That's more guesses of pet names et al. sure but you're not brute forcing it in that. Just don't use a pet name.)
> PyPI wants me to enable 2FA just because I maintain this package, which I don't care for. So this package is now unmaintained.
Just set up a KeepassXC file and put your 2FA info in there? You don't need to give PyPI your phone info, PyPI takes TOTP[1]. 2FA is pretty normal; I don't see why the author has a problem with it. It doesn't violate privacy (since it's not actually tied to any PII like a phone number), it takes like 10 seconds to set up, and it protects your packages from hackers. Perhaps the author simply doesn't see the point of 2FA, since he implies the PyPI authors only did it for compliance reasons (and not for normal bolt-your-doors security reasons, which is more likely)?
He calls setting up 2FA "an expense of my free time" when surely it took more time for him to delete and re-add his package than it would have to just set up 2FA.
EDIT:
To be fair, the maintainer owes us nothing[2], sure. But it's not unreasonable to protect the larger community with basic security practices, either.
1: https://pypi.org/help/#twofa
2: https://gist.github.com/richhickey/1563cddea1002958f96e7ba95...
If we keep treating open source maintainers like they owe us anything, we will have fewer open source maintainers.
I think they also deserve some respect.
That isn't necessarily a bad thing. I would be happy to lose every developer who is unwilling to enable 2FA. I am glad to see that that's what happened here. The developer has no responsibility to maintain their code, and PyPI has no responsibility to let them publish their code. Both sides discussed this and an agreement was reached - the developer will no longer publish their code to PyPI.
No one acted maliciously. Everyone wins.
1: https://gist.github.com/richhickey/1563cddea1002958f96e7ba95...
Edit: to be clear, not trying to shame the author here - it sounds like they tried to avoid this situation: "what i didn't consider is that this would delete old versions. those are apparently now gone and yet it's apparently not possible for me to re-upload them. i don't think that's sensible behavior by pypi, but either way i'm sorry about that."
I think this is a bad design on PyPI's part though.
Other registries go further and make it harder or impossible to delete once certain criteria are met (pretty sure this was put in place after leftpad broke the whole ecosystem): https://docs.npmjs.com/unpublishing-packages-from-the-regist...
Just having a 2FA requirement from the start (or some grace period like 7 days) seems like the way to do it.
[1] https://old.reddit.com/r/Python/comments/vuh41q/pypi_moves_t... [2] https://gist.github.com/jack1142/efe5c89b861a41616aaf8587838...
