The Python Package Index (PyPI) has launched a new “Project Archival” system, enabling package maintainers to officially mark their projects as archived. This significant update aims to strengthen supply-chain security and improve communication about project maintenance status.

Key Features and Benefits:
– Projects remain hosted and downloadable on PyPI
– Clear warning banners inform users about archived status
– Maintainers can unarchive projects if development resumes
– Reduces risk of abandoned project hijacking
– Decreases unnecessary support requests

Technical Implementation:
The system utilizes a LifecycleStatus model, originally designed for project quarantine. Package owners can easily archive their projects through PyPI’s settings page, automatically updating the project’s metadata. TrailofBits, the system’s developer, plans to introduce additional status options including ‘deprecated,’ ‘feature-complete,’ and ‘unmaintained.’

Security Implications:
This feature addresses several security concerns in the open-source ecosystem:
– Prevents malicious takeovers of abandoned projects
– Reduces “Revival Hijack” attacks
– Encourages users to seek actively maintained alternatives
– Provides transparency about project maintenance status

Best Practices:
PyPI recommends that maintainers release a final version before archiving, including explanations for the archival decision. This ensures users understand the project’s status and can make informed decisions about their dependencies.

This new archival system represents a significant step forward in open-source project maintenance transparency, helping developers make better-informed decisions about their package dependencies while enhancing overall security.