Welcome to The Long View—where we peruse the news of the week and strip it to the essentials. Let’s work out what really matters.
This week: PyPI complies with a “string of subpoenas,” and LTO continues to grow, despite predictions of its demise.
1. US Justice Dept. Subpoenas PSF
First up this week: The Python Software Foundation (PSF) has received subpoenas from the DoJ, asking for specific PyPI-user data. We now know about three of them and that the organization complied with the requests.
Analysis: Spot the Canary
Presumably, those three came without a gag order attached. But the PSF’s public account of the situation does rather imply there were others. The transparency shown here is a model for other organizations—including yours.
Jake Edge: PyPI was subpoenaed
On the PyPI blog, Director of Infrastructure at … PSF, Ee Durbin, has posted an admirably detailed description of the organization’s response to three subpoenas it received for PyPI user information in March and April. The requests for information were quite broad and the PSF did produce the requested material (to the extent possible), which involved five PyPI user accounts, under the advice of counsel.
The post goes on to detail exactly which fields in the database tables were used to fulfill the request (without identifying the targets, naturally). Meanwhile [Durbin] leaves open the possibility that further subpoenas have been received since that time.
Sourav Rudra: Python Software Foundation Complies with PyPI Subpoenas
“Identify malicious actors”
The Python Package Index (PyPI) is a very popular software repository among developers that provides over 450,000 Python packages, primarily hosting them as archives called ‘sdlists’ or precompiled ‘wheels.’ … As the PSF is governed by the laws of the United States, they had to comply with it.
Of course, it is tough to fight against a subpoena. … Complying [for] a handful of users could have been the right course of action instead of putting the entire organization at risk.
The information they demanded would most likely be used to identify malicious actors involved in shady stuff. [Presumably] the government is trying to catch the malicious actors responsible for infecting PyPI and potentially affecting innocent users.
Horse’s mouth? Ee Durbin, PSF director of infrastructure: PyPI was subpoenaed
“With the advice of counsel”
In March and April 2023 … PSF received three (3) subpoenas … issued by the United States Department of Justice. The PSF was not provided with context on the legal circumstances surrounding these subpoenas. In total, user data related to five (5) PyPI usernames were requested.
The privacy of PyPI users is of utmost concern to PSF and the PyPI Administrators, and we are committed to protecting user data from disclosure whenever possible. In this case, however, PSF determined with the advice of counsel that our only course of action was to provide the requested data.
We will not be releasing the usernames involved publicly or to the users themselves. … We have waited for the string of subpoenas to subside, though we were committed from the beginning to write and publish this post as a matter of transparency, and as allowed by the lack of a non-disclosure order associated with the subpoenas received in March and April 2023.
Wait. Pause. That’s an odd choice of words. wongarsu sounds suspicious:
That’s suspiciously specific. Sounds to me like they also received some other subpoenas they aren’t allowed to talk about.
I’m not sure I’d call three subpoenas “a string of subpoenas” even if it’s technically correct. [And] specifically mentioning that the subpoenas from March and April 2023 don’t have a gag order? Why mention those months specifically if in the other months they didn’t receive any? The natural thing would have been to end the sentence six words earlier.
This is a canary. Wording leaves open the suggestion there might have been more subpoenas that did include an NDA.
laughingskeptic laughs, skeptically:
Only 5 accounts? PyPi had to suspend the creation of new accounts on May 20th because they couldn’t keep up with all of the malicious registrations. The number of undetected malicious accounts involved in crime is likely much larger than 5.
But it’s nbd, thinks geofft:
Most of this information — like what projects a user was uploading — really should be public anyway, and I appreciate that they detailed in the post that most of this information was indeed public. So, I suppose, this subpoena is almost certainly “good” — the data they got is much more useful for going after someone uploading malware to PyPI than for violating someone’s civil liberties.
2. Tape Storage: Not Dead
The consortium controlling the Linear Tape-Open (LTO) standard would like you to know that the data archiving format is alive and kicking. Sales continue to grow, albeit not as fast as last year.
Analysis: 150 EB is a lot of station wagons
Designed for a 30-year archive life, member firms shipped almost 150 exabytes of LTO Ultrium media in 2022 alone. The need for fast, inexpensive, reliable backup/archival storage ain’t going away anytime soon.
Francisco Pires: Tape Storage Trundles On
“No, tape isn’t dead”
“Tape storage is dead” is one of those prophecies that has never seemed to actualize itself: demand for slow yet cost-effective and reliable storage solutions hasn’t gone the way of the dodo. On the contrary; the LTO … Program group (a collective of tape specialist companies made up of HPE, IBM and Quantum Corporation) just announced a 0.5% YoY increase in shipments.
That may not seem like much, but the bigger context is that that 0.5% growth rests atop a staggering 40% volume increase seen [in 2021]. No, tape isn’t dead—and contrary to what you may have read, HDDs aren’t going to be extinct by 2028, either. … The AI boom for unstructured data means increased demand for cheap, reliable, and capacious storage. The LTO Program’s growth being mostly fueled by hyperscalers and enterprises.
LTO-8 continues to be a great seller for value-conscious buyers. … But [LTO-9] has increased compressed data density … and transfer rates of up to 900 MB/s.
How fast? j_not_j:
Current LTO drives require to be fed at hundreds of megabytes per second for writing. This is well beyond what 1-gig Ethernet can do.
Meanwhile, Kamen Rider Blade requests that you exit the grassed area:
I prefer the old 2 Reel Tape Cassettes with integral Spools/Reels. … The biggest problem is the single reel design of LTO Tape Cassettes.
The Moral of the Story:
The report of my death has been grossly exaggerated
—Albert Bigelow Paine misquoting Mark Twain
You have been reading The Long View by Richi Jennings. You can contact him at @RiCHi or [email protected].
Image: Vasilis Karkalas (via Unsplash; leveled and cropped)