Skip to main content
EuroPython logo

It’s happening: TUF joins PyPI (Warehouse)

Track:
Security
Type:
Talk
Level:
beginner
Room:
South Hall 2B
Start:
11:55 on 12 July 2024
Duration:
30 minutes

Abstract

The Update Framework (TUF) has been a prime reference for secure package delivery and updates for many years. Despite its popularity, integrating with existing package managers remains challenging.

PEP 458 is a very good example of some of the related challenges. Authored a decade ago, it aims to protect the freshness, consistency, and integrity of packages in the Python Packaging Index (PyPI) and provide compromise resilience. Even though these goals remain largely unaddressed, PEP 458 has not made its way into production yet!

With Repository Service For TUF (RSTUF), a new tool has emerged, which makes implementing and maintaining a TUF-powered package repository a black box to the repository maintainers and which has become mature enough to kick off an incremental integration in Warehouse and RubyGems.

In this talk, Kairo, RSTUF’s tech lead, and Lukas, TUF project maintainer, will show how RSTUF has evolved and allowed us to take a big leap towards adopting TUF in Warehouse and elsewhere. Primers on TUF, PEP 458, and Warehouse will be included.


Resources