Over the past year, PyPI (the default package index for the Python ecosystem) has moved rapidly to adopt digital attestations, building atop the foundations offered by the Sigstore project and previous initiatives like Trusted Publishing. This work has left PyPI itself in a stronger position than ever before, but has not yet meaningfully diminished the amount of trust required by package consumers in PyPI. This talk attempts to tackle the latter: it imagines a hypothetical “zero-trust” future for PyPI, and asks which technologies (whether currently practical and not) could get us to that future.
Presented at:
- Transparency.dev summit, 2024
Authored by:
- William Woodruff