Skip to content

Latest commit

 

History

History
18 lines (13 loc) · 760 Bytes

File metadata and controls

18 lines (13 loc) · 760 Bytes

Imagining a zero-trust future for PyPI

Over the past year, PyPI (the default package index for the Python ecosystem) has moved rapidly to adopt digital attestations, building atop the foundations offered by the Sigstore project and previous initiatives like Trusted Publishing. This work has left PyPI itself in a stronger position than ever before, but has not yet meaningfully diminished the amount of trust required by package consumers in PyPI. This talk attempts to tackle the latter: it imagines a hypothetical “zero-trust” future for PyPI, and asks which technologies (whether currently practical and not) could get us to that future.

Presented at:

Authored by:

  • William Woodruff