No joke: PyPI was subpoenaed

It’s getting worse:

That’s not an attack on PyPI as such. Just the USA throwing their weight around and demanding personal data on some users.

In the context of the recent waves of malware distributed through these repositories, it’s no wonder that law enforcement would request user data for their investigations, and hardly anything to be super concerned about.


Yeah, I agree. This is the US doing a “good thing” by chasing the bad guys.

What is a little more worrying is quite how heavy the malware barrage is getting for the small team who look after PyPI.

I don’t know enough of what PyPI is, but when you are down to one person fighting off the hoards it is a bit worrying. XKCD I do understand


Events like that show however how important it is for projects to store and require as little data as necessary about a user. I think PyPI did a great job of documenting transparently what they shared.