Coursera Spring Sale
40% Off Coursera Plus Annual!
Grab it
Explore the revolutionary approach to package signing in the Python ecosystem through this 29-minute conference talk from PyCon US. Learn how PyPI has overcome the longstanding challenges of end-to-end signing and verification that have plagued open source packaging, including the complex issues of cryptography implementation, secret management, and trust establishment that led to the disabling of PyPI's previous PGP signature support. Discover the architectural design and implementation details of digital attestations as standardized in PEP 740, which breaks the traditional constraints of end-user signing by providing a solution that enables signing by default for a significant portion of the ecosystem without requiring maintainers to modify their existing packaging workflows. Understand the security properties and transparency features of this new attestation system, examine how it was deployed across both PyPI's infrastructure and client-side uploading processes, and gain insights into the future roadmap including missing components like large-scale verification capabilities for third parties beyond PyPI itself. Develop a comprehensive understanding of the technical and social challenges inherent in end-user signing, how PEP 740's innovative design addresses these obstacles, and acquire practical knowledge for both producing and consuming attestations in current Python packaging workflows.
![CNCF [Cloud Native Computing Foundation]](https://www.classcentral.com/cdn-cgi/image/height=40,format=auto,quality=85/images/logos/institutions/cncf-cloud-native-computing-foundation-hz.png){kind=small}
