| title |
Imagining a zero-trust future for PyPI |
| date |
2024-10-10 |
| authors |
|
| conference |
Transparency.dev Summit 2024 |
|
| resources |
| label |
path |
Slides |
slides.pdf |
|
|
Over the past year, PyPI (the default package index for the Python ecosystem)
has moved rapidly to adopt digital attestations, building atop the foundations
offered by the Sigstore project and previous initiatives like Trusted
Publishing. This work has left PyPI itself in a stronger position than ever
before, but has not yet meaningfully diminished the amount of trust required by
package consumers in PyPI. This talk attempts to tackle the latter: it imagines
a hypothetical "zero-trust" future for PyPI, and asks which technologies
(whether currently practical and not) could get us to that future.