Over the past year, PyPI (the default package index for the Python ecosystem) has moved rapidly to adopt digital attestations, building atop the foundations offered by the Sigstore project and previous initiatives like Trusted Publishing. This work has left PyPI itself in a stronger position than ever before, but has not yet meaningfully diminished the amount of trust required by package consumers in PyPI. This talk attempts to tackle the latter: it imagines a hypothetical “zero-trust” future for PyPI, and asks which technologies (whether currently practical and not) could get us to that future.
Speaker
William Woodruff is an Engineering Director at Trail of Bits, a NYC-based consultancy. He splits his time between OSS engineering and running the Ecosystem Security group, which is responsible for contributing security and usability improvements to a wide range of OSS tools and services (PyPI, Homebrew, pip-audit, Sigstore, LLVM, PyCA Cryptography, etc.). Outside of work, William is a maintainer of Homebrew and contributes to a variety of OSS projects. He blogs at https://blog.yossarian.net.