PEP 458 a solution not only for PyPI
07-20, 14:35–15:05 (Europe/Prague), South Hall 2A

PEP 458 uses cryptographic signing on PyPI to protect Python packages against attackers. The implementation of the PEP inspired the Repository Service for TUF (RSTUF), a project accepted into the OpenSSF sandbox. We identified that the design could benefit other organizations and repositories looking to secure their software supply chains.
In this talk we would answer the following questions:
- How did the PEP 458 design help to start the Repository Service for TUF (RSTUF)?
- How could RSTUF be used for PyPI with its millions of packages?
- How can RSTUF be deployed by any organization at any scale without requiring TUF expertise?

Additionally, in this talk, we would give an overview of PEP 458, how it works, and give a high-level overview of TUF.

PEP 458 was designed to protect PyPI against various possible attacks on PyPIs own content distribution network and its mirrors while giving administrators a mechanism to recover from a compromise if it happens using The Update Framework (TUF).
Using Repository Service for TUF (RSTUF) is actually deploying TUF as a service based on PEP 458 design to solve a lot of common problems for repositories. It will help PyPI maintainers to integrate TUF using simple REST API calls without adding a large amount of code in the PyPI/Warehouse code base.
In this talk, we will recap PEP 458 and TUF, and what they are good for. We will show how RSTUF works and demonstrate the integration with Warehouse. Additionally, we will share how other organizations could use RSTUF to protect their clients.

Expected audience expertise


Kairo is a Senior Open Source Software Engineer at VMware Open Source Program Office (OSPO) on the Security Supply Chain team. He contributed to python-tuf and is the author of Repository Service for TUF (RSTUF). Prior roles include System Engineer Specialist and Senior Software Engineer at IBM, ING, and Forescout.

Martin Vrachev is an Open Source Engineer in the VMware Open Source Program Office (OSPO) on the Security Supply Chain team. He has contributed to multiple Open Source security projects solving a variety of problems. His latest work is focused on secure software supply chain and more precisely on contributions towards RSTUF and Python-TUF. Martin's past contributions are towards security static analysis tools (Gosec, Precaution) and vulnerability scanning tools for images (Clair).