Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Trusted Publishing: Lessons from PyPI

OpenSSF via YouTube

Overview

Explore the concept of "trusted publishing" in this 24-minute conference talk by William Woodruff from Trail of Bits, presented at OpenSSF. Gain a developer-focused introduction to the OpenID Connect-based authentication scheme successfully implemented by PyPI to reduce reliance on manual API tokens. Discover how thousands of packages, including critical Python packages, have adopted trusted publishing to enhance security and auditability in the Python ecosystem. Delve into a two-part discussion: first, examine the high-level overview of trusted publishing, its use of ephemeral OpenID Connect credentials, and its security advantages over traditional authentication methods. Then, dive into the technical details of PyPI's implementation, addressing challenges with OIDC, multiple identity provider support, threat model considerations, and potential future integrations with code-signing schemes like Sigstore.

Syllabus

Trusted Publishing: Lessons from PyPI - William Woodruff, Trail of Bits

Taught by

OpenSSF

Reviews

Start your review of Trusted Publishing: Lessons from PyPI

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.