The Python Package Index (PYPI) launched the new Project Archival system, which allows developers to archive their projects, clearly indicating that there will be no more updates. This will help users make conscious decisions about additions, avoiding obsolete or potentially unsafe code.
Archive projects will remain available for download, but a warning notification of support status will appear on their pages. This is especially important for the safety of the supply chain: often attackers intercept abandoned projects and introduce malicious updates in them, which after years can harm thousands of users.
In addition to protecting users, the new function reduces the load on the developers, eliminating unnecessary requests in support and clarifying questions about the status of the project. According to data from Trail of Bits, the new function allows the owners of the projects to independently place them as Archive. PYPI recommends issuing the final version before archiving, where you can indicate the reasons for this decision, but this remains at the discretion of the developers.
If work on the project resumes, the archive can be removed at any time. To implement the function, the Lifecycle status model, originally designed for quarantine projects, is used. The system provides for the possibility of switching between different statuses, and PYPI plans to add additional marks like “DepRed” (obsolete), “Feature-Complete” (fully-functional), and “Unmaintained” (unsupported) in the future. This will help users focus faster in a state of dependence.
A banner will appear in archiving projects that warn developers about the need to look for active alternatives, which will avoid dependence on packages that are no longer supported, and will reduce the likelihood of attacks through outdated libraries.
One of the risks in the Open Source ecosystem is the practice of capturing old projects. Attackers take control of abandoned libraries and introduce malicious code in subsequent updates. This has already happened with a number of popular packages, which led to compromising thousands of systems. Sometimes the developers delete projects completely, which also poses a threat, for example, Revival Hijack—an attack method when Hacker occupies the vacant name of the package and loads the malicious clone.