PEP 458 uses cryptographic signing on PyPI to protect Python packages against attackers. The implementation of the PEP inspired the Repository Service for TUF (RSTUF), a project accepted into the OpenSSF sandbox. We identified that the design could benefit other organizations and repositories looking to secure their software supply chains. In this talk we would answer the following questions:
- How did the PEP 458 design help to start the Repository Service for TUF (RSTUF)?
- How could RSTUF be used for PyPI with its millions of packages?
- How can RSTUF be deployed by any organization at any scale without requiring TUF expertise?
Additionally, in this talk, we would give an overview of PEP 458, how it works, and give a high-level overview of TUF.
PEP 458 was designed to protect PyPI against various possible attacks on PyPIs own content distribution network and its mirrors while giving administrators a mechanism to recover from a compromise if it happens using The Update Framework (TUF). Using Repository Service for TUF (RSTUF) is actually deploying TUF as a service based on PEP 458 design to solve a lot of common problems for repositories. It will help PyPI maintainers to integrate TUF using simple REST API calls without adding a large amount of code in the PyPI/Warehouse code base. In this talk, we will recap PEP 458 and TUF, and what they are good for. We will show how RSTUF works and demonstrate the integration with Warehouse. Additionally, we will share how other organizations could use RSTUF to protect their clients.