The Python Python registry registry registry has announced a new feature that allows the packages to archive the project within the framework of efforts to improve the safety of the supply chain.
“Now supporters can archive a project that informs users that the project will not receive more updates,” Facundo Tutca, Senior Engineer at Trail Of Bits, – Note.
Doing this, the idea is to clearly inform the developers that Python libraries are no longer actively supported and no future security fixes should be expected.
Given this, the projects marked as archival will remain available on PYPI, and users can continue to install it without problems.
In a separate blog message in which the feature is described in detail, Turca – Note The management considers additional status status under control to better report the status of the project for consumers down.
PYPI also recommends that the package developers release the final version before the archive by updating the project description to warn users and enable alternatives as a replacement.
Development occurs shortly after Pypi has launched the ability quarantine projectsallowing administrators to note the project as potentially suspicious and prevent it from installing other users to prevent further damage.
In November 2024, Pypi administrators quarantine It was found that Telegram revealed that Telegram had found that Telegram had found that Telegram had found that Telegram had been found to be an inclusion in Telegram.
Since August last year, approximately 140 projects have been quarantined and subsequently removed from the ban.
“The presence of this intermediary stage allows Pypi Admins to create more security for end users, faster defending the end users, the Pypi administrator, deleting a suspicious package from the installed, while allowing further investigation,” Pypi administrator Mike Fidler – Note.
“Because the removal of the project from PYPI is a devastating effect, creating a quarantine condition allows you to restore the project if you count a false positive report without destroying any history and metadata project.”