This is a great interview! Mike (and Seth, who is tasked with addressing the non-PyPI security needs of the Python ecosystem) have been doing a great job both documenting and expanding the Python ecosystem’s security capabilities and outstanding needs.
PyPI’s security features have undergone a significant expansion since the backend rewrite back in 2017; I think it’s accurate to say that, since then, it has consistently been on the forefront (amongst its peer indices) in terms of adding scopeable API tokens, MFA, secret scanning, and most recently trusted publishing).
(FD: The company I work for helped add some of those features[1][2].)
PyPI’s security features have undergone a significant expansion since the backend rewrite back in 2017; I think it’s accurate to say that, since then, it has consistently been on the forefront (amongst its peer indices) in terms of adding scopeable API tokens, MFA, secret scanning, and most recently trusted publishing).
(FD: The company I work for helped add some of those features[1][2].)
[1]: https://blog.trailofbits.com/2019/06/20/getting-2fa-right-in...
[2]: https://blog.trailofbits.com/2023/05/23/trusted-publishing-a...