← 返回首页
PEP 694: Address PEP Delegate's feedback by warsaw · Pull Request #4794 · python/peps · GitHub
Skip to content

Navigation Menu

Toggle navigation
Sign in
Appearance settings
Search or jump to...

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Saved searches

Use saved searches to filter your results more quickly

Appearance settings
Resetting focus
Merged
Changes from 1 commit
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
5e9d4b6
Respond to PEP Delegate's feedback
warsaw Jan 27, 2026
72f9e08
Add FAQ entries explaining why project name and version are required …
warsaw Jan 27, 2026
11f72a0
Add a Security Implications section
warsaw Feb 3, 2026
d6a146e
Remove orphaned footnote
warsaw Feb 4, 2026
dd843ad
Merge branch 'main' into pep-694-di-feedback
warsaw Mar 5, 2026
13c320d
Merge branch 'main' into pep-694-di-feedback
warsaw Jun 22, 2026
aac5876
More comments based on Dustin's feedback
warsaw Jun 24, 2026
5d001ee
Add extensive elaboration about the permission model
warsaw Jun 24, 2026
4dd2a7f
Remove the `metadata` key from the file upload session creation request
warsaw Jun 24, 2026
3b74338
Clarify the session publishing states and add a state transition table
warsaw Jun 24, 2026
f833beb
Fully document the file upload session state machine
warsaw Jun 24, 2026
9b1be58
Merge branch 'main' into pep-694-di-feedback
warsaw Jun 24, 2026
0ca97f8
Manual updates
warsaw Jun 25, 2026
f494eaf
typo
warsaw Jun 25, 2026
291712c
Add some drawings
warsaw Jun 26, 2026
44817f5
publishing session state svg
warsaw Jun 26, 2026
83608c7
Checkpoint
warsaw Jun 26, 2026
b2b5bab
Session publishing image keeper
warsaw Jun 26, 2026
c5c1ba4
File publishing session diagram is completed
warsaw Jun 26, 2026
437eda1
Slight tweak to file upload session
warsaw Jun 26, 2026
ba95416
Add the diagrams
warsaw Jun 26, 2026
4499b8f
First attempt for light/dark inversion
warsaw Jun 26, 2026
86748bb
Updated image color schemes
warsaw Jun 26, 2026
92656d7
Fixed all color schemes
warsaw Jun 26, 2026
5d2d4da
Cleaned up session diagram
warsaw Jun 26, 2026
abb2a2f
file session diagram clean
warsaw Jun 26, 2026
f3e9411
Better wording
warsaw Jun 27, 2026
613818b
Last minute cleanups
warsaw Jun 27, 2026
078cf78
Remove the intermediate drawio files
warsaw Jun 27, 2026
6df4e94
trailing newlines
warsaw Jun 27, 2026
File filter

Filter by extension

Filter by extension .rst  (1) All 1 file type selected Viewed files
Conversations
Failed to load comments. Retry
Loading
Jump to
Jump to file
Failed to load files. Retry
Loading
Diff view
Unified
Split
Hide whitespace
Apply and reload
Show whitespace
Diff view
Unified
Split
Hide whitespace
Apply and reload
Prev Previous commit
Next Next commit
Add a Security Implications section
  • Loading branch information
warsaw committed Feb 3, 2026
commit 11f72a0d9d3faa0a7334d198e03efba2eeb8abfd
38 changes: 38 additions & 0 deletions peps/pep-0694.rst
Show comments View file Edit file Delete file Open in desktop
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Original file line number Diff line number Diff line change
Expand Up @@ -1243,6 +1243,43 @@ A suggested approach:
compatibility.


.. _security-implications:

Security Implications
=====================

Does PEP 694 make it easier to (maliciously) register project names, i.e. to name- or typo-squat? The authors
do not believe so. With the legacy API, it's trivially easy to create and upload a dummy package to register
a project name. This PEP does not effectively change that equation either way, nor does it aim to. That
said, indexes such as PyPI could impose additional limitations on project registration activities, such as
rate limiting either the legacy API or Upload 2.0 API for empty packages or sessions. An index such as PyPI
which supports organizations or :pep:`752`-style implicit namespaces, could implement different rate limiting
rules for different actors. Such implementations are left as index-specific policy decisions.

It's possible for a user with upload permissions at the start of a session to lose such permissions while a
session is open and before the entire session is published. Indexes should consider re-validating permissions
at key points during the session lifecycle, such as on artifact uploads, file upload session completion,
session extension requests, or at publish time.

Staged releases, while useful for testing and embargoes, do provide some potential for larger scale hosting of
malware which isn't detectable by third party, external scanning tools, because staged artifacts are only
visible to clients which hold the stage token/url. It's not clear how much proactive malware scanning is
actually going on today with indexes such as PyPI, so it's unclear whether the (optional) staging feature is
much of an additional malware vector. Indexes should likely do some amount of proactive malware scanning on
all artifacts, regardless of the protocol used to upload them. Indexes can also mitigate the problem by
putting limits on session extensions, which might differ between projects depending on the user or (in the
case of PyPI) organization which owns the project. Indexes can refuse to extend sessions, and they can use
this to limit the availability of packages with unverified contents.

Considering the testing and embargoed use cases may lead to different session expiry choices. Testing a
release can have a relatively short session lifespan, e.g. on the order of hours. Embargoed sessions may need
to be extended for several days or a few weeks. An index such as PyPI could use any number of criteria to
determine the total lifetime of any particular session, such as whether the credentials are a user or an
organization. An index could even support :ref:`index-specific-metadata` to decide whether the testing or
embargoed use case is being employed.

.. _faq:

FAQ
===

Expand Down Expand Up @@ -1376,6 +1413,7 @@ Change History
* Add non-normative :ref:`Recommendations for Client Implementers <client-recommendations>` section
with suggested UX patterns for tools like twine, uv, and GitHub Actions.
* Add FAQ entries explaining why project name and version are required at session creation.
* Add a :ref:`security-implications` section.

* `06-Dec-2025 <https://discuss.python.org/t/pep-694-pypi-upload-api-2-0-round-2/101483/35>`__

Expand Down
Loading
Toggle all file notes Toggle all file annotations

Footer

© 2026 GitHub, Inc.