Implementing PEP 458 to Secure PyPI Downloads

Explore the ongoing efforts to implement PEP 458 for securing PyPI downloads in this 32-minute conference talk from EuroPython 2022. Delve into the importance of protecting software repositories against attacks and their potential widespread impact. Learn about PEP 458's design to safeguard PyPI's content distribution network and mirrors, as well as its role as a foundation for the more advanced protection outlined in PEP 480. Discover how both PEPs implement "The Update Framework" (TUF) specification, introducing roles, keys, and metadata formats for package protection. Gain insights into the integration of the latest Python TUF reference implementation with PyPI/Warehouse, including challenges faced and expected timeline. Understand the implications for Python developer and user workflows, and get a glimpse of the future with full developer-to-user end-to-end protection of Python packages as described in PEP 480. Join the speakers in their call to action for community involvement in software supply chain security through review, commentary, and contributions to the PEP 458 and PEP 480 integration efforts.