Kairo de Araujo
.ical

Kairo is a Senior Open Source Software Engineer at VMware Open Source Program Office (OSPO) on the Security Supply Chain team. He contributed to python-tuf and is the author of Repository Service for TUF (RSTUF). Prior roles include System Engineer Specialist and Senior Software Engineer at IBM, ING, and Forescout.

The speaker's profile picture

Sessions

07-20
14:35
30min
PEP 458 a solution not only for PyPI
Kairo de Araujo, Martin Vrachev

PEP 458 uses cryptographic signing on PyPI to protect Python packages against attackers. The implementation of the PEP inspired the Repository Service for TUF (RSTUF), a project accepted into the OpenSSF sandbox. We identified that the design could benefit other organizations and repositories looking to secure their software supply chains.
In this talk we would answer the following questions:
- How did the PEP 458 design help to start the Repository Service for TUF (RSTUF)?
- How could RSTUF be used for PyPI with its millions of packages?
- How can RSTUF be deployed by any organization at any scale without requiring TUF expertise?

Additionally, in this talk, we would give an overview of PEP 458, how it works, and give a high-level overview of TUF.

Security
South Hall 2A