Feed: Slashdot
Feed Link: https://slashdot.org/
---

Title: Python's PyPI Finally Gets Closer to Adding 'Organization Accounts'
and SBOMs

Link: https://developers.slashdot.org/story/25/04/0...

Back in 2023 Python's infrastructure director called it "the first step in
our plan to build financial support and long-term sustainability of PyPI"
while giving users "one of our most requested features: organization
accounts." (That is, "self-managed teams with their own exclusive branded web
addresses" to make their massive Python Package Index repository "easier to
use for large community projects, organizations, or companies who manage
multiple sub-teams and multiple packages." Nearly two years later, they've
announced that they're "making progress" on its rollout... Over the last
month, we have taken some more baby steps to onboard new Organizations,
welcoming 61 new Community Organizations and our first 18 Company
Organizations. We're still working to improve the review and approval process
and hope to improve our processing speed over time. To date, we have 3,562
Community and 6,424 Company Organization requests to process in our backlog.
They've also onboarded a PyPI Support Specialist to provide "critical
bandwidth to review the backlog of requests" and "free up staff engineering
time to develop features to assist in that review." (And "we were finally
able to finalize our Terms of Service document for PyPI," build the tooling
necessary to notify users, and initiate the Terms of Service rollout. [Since
launching 20 years ago PyPi's terms of service have only been updated twice.]
In other news the security developer-in-residence at the Python Software
Foundation has been continuing work on a Software Bill-of-Materials (SBOM) as
described in Python Enhancement Proposal #770. The feature "would designate a
specific directory inside of Python package metadata (".dist-info/sboms" as
a directory where build backends and other tools can store SBOM documents
that describe components within the package beyond the top-level component."
The goal of this project is to make bundled dependencies measurable by
software analysis tools like vulnerability scanning, license compliance, and
static analysis tools. Bundled dependencies are common for scientific
computing and AI packages, but also generally in packages that use multiple
programming languages like C, C++, Rust, and JavaScript. The PEP has been
moved to Provisional Status, meaning the PEP sponsor is doing a final review
before tools can begin implementing the PEP ahead of its final acceptance
into changing Python packaging standards. Seth has begun implementing code
that tools can use when adopting the PEP, such as a project which abstracts
different Linux system package managers functionality to reverse a file path
into the providing package metadata. Security developer-in-residence Seth
Larson will be speaking about this project at PyCon US 2025 in Pittsburgh, PA
in a talk titled "Phantom Dependencies: is your requirements.txt haunted?"
Meanwhile InfoWorld reports that newly approved Python Enhancement Proposal
751 will also give Python a standard lock file format.

Read more of this story at Slashdot.

---
VRSS v2.1.180528