Python Software Foundation has announced new measures to protect user data on Pypi repository, following the implementation of requirements on the disclosure of personal information. Back in March and April, the US Department of Justice requested data from five Pypi users. The data included names, targeted information, lists of loaded packages and IP addresses. These requests were fulfilled after consultations with lawyers.
However, the Python Software Foundation and Pypi advocate for freedom, privacy, and safety of users. To this end, the standards for data disclosure have been revised to ensure that user data is kept confidential. The Foundation also plans to minimize the storage of personal data and to limit the storage time of logs with information about user connection, which will reduce the damage in case of leaks resulting from compromised infrastructure or personnel errors.
In another move, the developers of Pypi have decided to stop supporting PGP subscriptions for verification of packages. This is because these subscriptions did not solve the assigned tasks and were deemed useless in their current form. Previously, subscriptions of signatures were removed from the web interface. However, developers will still have the ability to download PGP signatures, but they will be ignored. Users’ access to previously loaded signatures will be preserved, but new signatures will no longer be provided, and the “Has_SIG” field in the API will always be set to “FALSE.”
Over the last three years, approximately 50,000 digital signatures associated with 1069 PGP key aids have been loaded with Pypi packages. However, 29% of the keys were absent on large public keys, making them unreliable. Of the remaining 71%, half of their reliability at the time of the audit could not be confirmed. Only 36% of the keys were verified, and reliable signatures created over the past three years covered only 0.3% of all files.
These measures are expected to enhance users’ safety and privacy while using Pypi repository.