The Python Package Index (PyPI) has informed users that no modifications are expected with the launch of “Project Archival,” a new method that enables publishers to archive their projects. To assist users in making informed decisions regarding their dependencies, users will still be able to download the projects from PyPI, but they will be alerted of the maintenance status.
The new tool aims to strengthen supply-chain security, as hacking developer accounts and sending malicious updates to widely used but abandoned projects is a typical occurrence in the open-source community. In addition to minimising user risk, it lowers support requests by guaranteeing clear communication of the project’s lifecycle state.
Project archiving modus operandi
According to a detailed blog post by TrailofBits, the developer of PyPI’s new project archival system, the feature includes a maintainer-controlled status that enables project owners to declare their projects as archived, informing users that there will be no more updates, patches, or maintenance.