PEP 740 and PyPI - Bootstrapping Provenance for the Python Ecosystem

Learn about the implementation of PEP 740 and its impact on PyPI's security infrastructure in this technical talk from Trail of Bits' William Woodruff. Explore how PyPI, serving over 1.2 billion downloads daily across 500,000 unique packages, is enhancing its security features through digital attestations. Discover the integration of PEP 740 with industry standards like Sigstore, in-toto, and SLSA, and understand how this implementation enables strong maintainer digital provenance for Python packages. Gain insights into how this security enhancement avoids traditional complications of key management, identity management, and complex signing ceremonies while building upon PyPI's existing Trusted Publishing framework.