Martin Vrachev is an Open Source Engineer in the VMware Open Source Program Office (OSPO) on the Security Supply Chain team. He has contributed to multiple Open Source security projects solving a variety of problems. His latest work is focused on secure software supply chain and more precisely on contributions towards RSTUF and Python-TUF. Martin's past contributions are towards security static analysis tools (Gosec, Precaution) and vulnerability scanning tools for images (Clair).
PEP 458 uses cryptographic signing on PyPI to protect Python packages against attackers. The implementation of the PEP inspired the Repository Service for TUF (RSTUF), a project accepted into the OpenSSF sandbox. We identified that the design could benefit other organizations and repositories looking to secure their software supply chains.
In this talk we would answer the following questions:
- How did the PEP 458 design help to start the Repository Service for TUF (RSTUF)?
- How could RSTUF be used for PyPI with its millions of packages?
- How can RSTUF be deployed by any organization at any scale without requiring TUF expertise?
Additionally, in this talk, we would give an overview of PEP 458, how it works, and give a high-level overview of TUF.