| title |
Sigstore for Python Packaging: Next Steps for Adoption |
| date |
2022-10-25 |
| authors |
|
| conference |
|
| resources |
| label |
path |
Slides |
slides.pdf |
|
|
Sigstore is coming to the Python packaging ecosystem!
For the past 9 months, engineers at Trail of Bits have worked with members and
stakeholders within the Sigstore community to develop sigstore-python, a
high-quality Python API and CLI for performing Sigstore-style signatures and
verifications. Now comes the hard part: convincing members of Python's packaging
ecosystem, among the largest and most critical, to adopt Sigstore into their
package publishing and consumption workflows.
This talk will perform a survey of
Python packaging, and consider some of the ways in which Sigstore fits into the
packaging user experience. Particular consideration will be given to two groups
of packaging ecosystem users: "ordinary" users, who should benefit from baseline
authenticity and integrity without having to substantially alter their workflows,
and "proactive" users, who should be able to opt into additional security
guarantees (such as verification against TUF-attested claims) both when
packaging and consuming others' packages.