The Python Package Index (PyPI) has informed users that no modifications are expected with the launch of "Project Archival," a new method that enables publishers to archive their projects. To assist users in making informed decisions regarding their dependencies, users will still be able to download the projects from PyPI, but they will be alerted of the maintenance status.
The new tool aims to strengthen supply-chain security, as hacking developer accounts and sending malicious updates to widely used but abandoned projects is a typical occurrence in the open-source community. In addition to minimising user risk, it lowers support requests by guaranteeing clear communication of the project's lifecycle state.
Project archiving modus operandi
According to a detailed blog post by TrailofBits, the developer of PyPI's new project archival system, the feature includes a maintainer-controlled status that enables project owners to declare their projects as archived, informing users that there will be no more updates, patches, or maintenance.
Although it is not mandatory, PyPI advises maintainers to publish a final version prior to project archiving in order to provide information and justifications for the decision. If the maintainers decide to pick up where they left off, they can unarchive their project whenever they like.
Under the hood, the new system employs a LifecycleStatus model, which was initially designed for project quarantine and includes a state machine that allows for modifications between different states.
When the project owner selects the 'Archive Project' option on the PyPI settings page, the platform automatically updates the metadata to reflect the new state. According to TrailofBits, there are plans to add other project statuses such as 'deprecated,' 'feature-complete,' and 'unmaintained,' giving users a better understanding of the project's status.
The purpose of the warning banner is to alert developers to the need of identifying actively maintained alternative dependencies rather than sticking with out-of-date and potentially insecure projects. In addition, cybercriminals frequently target abandoned packages, taking over unmaintained projects and injecting malicious code via an update that may arrive many years after the last one.
When deciding to halt work, maintainers sometimes decide to delete their projects, which might result in situations like "Revival Hijack" attacks. From a security standpoint, it is more preferable to provide those maintainers the option to archive.
Ultimately, a lot of open-source projects are abruptly discontinued, leaving consumers to wonder if they are still being maintained. The new system eliminates uncertainty and gives a clear indication of a project's state, which should increase transparency in open-source project management.