PyDist takes a number of security measures to protect your packages:
- Packages (and all other data) are only transmitted over HTTPS.
- Packages uploaded to PyDist are stored in AWS S3, where they are encrypted at rest using AES-256.
- Access to packages is restricted to PyDist servers and the root PyDist AWS account, which is protected by 2FA.
- Access to the packages is logged by AWS Server Access Logging.
- PyDist servers restrict SSH access by IP as well as private key.
PyDist also provides several tools to help you secure your systems:
- Installing packages with read-only API keys, and scoping each key to only the packages required by the service using it, limits the damage if a key is compromised.
- You can track which keys have been used to download your packages on the Insights page, helping you spot unexpected activity.
- It's easy to rotate potentially compromised keys: you can disable the key on the Keys page, and delete it once you are sure disabling it hasn't broken anything.
- You can track which packages your servers are installing on the Insights page, which can help you spot malicious packages that have snuck into your dependencies via typo-squatting, or by malicious modifications to the dependencies of a legitimate package—as happened to the now-infamous event-stream NPM package.