ClickCease PyPI Subpoenaed: US Government Requests User Data

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

PyPI Subpoenaed: US Government Requests User Data

Rohan Timalsina

June 5, 2023 - TuxCare expert team

The Python Package Index (PyPI), with an extensive collection of more than 450,000 Python packages, is a highly popular repository among developers. These packages are stored as archives referred to as “sdlists” or precompiled “wheels.”

The US Department of Justice issued three subpoenas to the Python Software Foundation (PSF), requesting the disclosure of PyPI user data. The focus of these subpoenas was on five specific PyPI usernames, and the data requested can be summarized as follows:

 

PyPI Data Request

  • Names, including subscriber names, user names, and screen names.
  • Addresses, including mailing, residential, business, and email addresses.
  • Connection records
  • Records of session times and durations, along with the temporarily assigned network address, such as Internet Protocol (IP) addresses, associated with those sessions.
  • Length of service, including the start date and the type of services utilized.
  • Telephone or instrument numbers, including the registration Internet Protocol (IP) address.
  • Means and source of payment for any such services, including any credit card or bank account number and billing records.
  • Records of all Python Package Index (PyPI) packages uploaded by the specified usernames.
  • IP download logs of any Python Package Index (PyPI) packages uploaded by the specified usernames.

As you can see, the Department of Justice has requested a large list of PyPI user data. After consulting with their legal advice and deciding that there was nothing else PyPI administrators could do, they had to comply with it because the PSF is subject to US law. Of course, resisting a subpoena is difficult. To further improve their users’ freedom, security, and privacy, PyPI and PSF will review their present data and privacy procedures.

 

Conclusion

The Python Software Foundation will now create new data retention and disclosure policies to respond to upcoming government data requests. They will also specify how and how long personally identifiable information about users will they store on their systems. If you want to learn more about the information provided and PyPI’s efforts to be transparent, you can read their blog article.

TuxCare’s Extended Long-term Support (ELS) program for Python 2.7 allows you to continue using your existing software as you did previously. This program provides a modern platform that meets your compliance needs while ensuring that you receive essential security updates specifically addressing high and critical vulnerabilities.

 

The sources for this article include a story from It’s FOSS News.

Summary
PyPI Subpoenaed: US Government Requests User Data
Article Name
PyPI Subpoenaed: US Government Requests User Data
Description
The Python Package Index (PyPI) was subpoenaed by the United States Department of Justice, requesting the disclosure of PyPI user data.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter