PEP 740 and PyPI - Bootstrapping Provenance for the Python Ecosystem

Overview

Learn about the implementation of PEP 740 and its impact on PyPI's security infrastructure in this technical talk from Trail of Bits' William Woodruff. Explore how PyPI, serving over 1.2 billion downloads daily across 500,000 unique packages, is enhancing its security features through digital attestations. Discover the integration of PEP 740 with industry standards like Sigstore, in-toto, and SLSA, and understand how this implementation enables strong maintainer digital provenance for Python packages. Gain insights into how this security enhancement avoids traditional complications of key management, identity management, and complex signing ceremonies while building upon PyPI's existing Trusted Publishing framework.

Syllabus

PEP 740 and PyPI: Bootstrapping Provenance for the Python Ecosystem - William Woodruff

Taught by

OpenSSF

Reviews

Start your review of PEP 740 and PyPI - Bootstrapping Provenance for the Python Ecosystem

Coursera Cuts Jobs Despite $100M Revenue Milestone

Most common

Popular subjects

Popular courses

PEP 740 and PyPI - Bootstrapping Provenance for the Python Ecosystem

Overview

Syllabus

Taught by

Reviews

Coursera Cuts Jobs Despite $100M Revenue Milestone

Taught by

Trusted Publishing: Lessons from PyPI

Securing Python Projects Supply Chain

PEP 458 - A Solution Not Only for PyPI

Implementing PEP 458 to Secure PyPI Downloads

In-Toto: Attestations and Software Supply Chain Security

The Chain of Trust - Towards SLSA L3 with Tekton Trusted Artifacts

Never Stop Learning.