PEP 458 a solution not only for PyPI

CC Attribution - NonCommercial - ShareAlike 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this

Identifiers

10.5446/68704 (DOI)

Publisher

EuroPython

Release Date

2023

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

[PEP 458] uses cryptographic signing on [PyPI] to protect Python packages against attackers. The implementation of the PEP inspired the [Repository Service for TUF (RSTUF)], a project [accepted into the OpenSSF sandbox]. We identified that the design could benefit other organizations and repositories looking to secure their software supply chains. In this talk we would answer the following questions: - How did the PEP 458 design help to start the Repository Service for TUF (RSTUF)? - How could RSTUF be used for PyPI with its millions of packages? - How can RSTUF be deployed by any organization at any scale without requiring TUF expertise? Additionally, in this talk, we would give an overview of PEP 458, how it works, and give a high-level overview of TUF.