Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

PEP 740 and PyPI - Bootstrapping Provenance for the Python Ecosystem

OpenSSF via YouTube

Overview

Learn about the implementation of PEP 740 and its impact on PyPI's security infrastructure in this technical talk from Trail of Bits' William Woodruff. Explore how PyPI, serving over 1.2 billion downloads daily across 500,000 unique packages, is enhancing its security features through digital attestations. Discover the integration of PEP 740 with industry standards like Sigstore, in-toto, and SLSA, and understand how this implementation enables strong maintainer digital provenance for Python packages. Gain insights into how this security enhancement avoids traditional complications of key management, identity management, and complex signing ceremonies while building upon PyPI's existing Trusted Publishing framework.

Syllabus

PEP 740 and PyPI: Bootstrapping Provenance for the Python Ecosystem - William Woodruff

Taught by

OpenSSF

Reviews

Start your review of PEP 740 and PyPI - Bootstrapping Provenance for the Python Ecosystem

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.