Trusted Publishing: Lessons from PyPI
Offered By: OpenSSF via YouTube
Course Description
Overview
Explore the concept of "trusted publishing" in this 24-minute conference talk by William Woodruff from Trail of Bits, presented at OpenSSF. Gain a developer-focused introduction to the OpenID Connect-based authentication scheme successfully implemented by PyPI to reduce reliance on manual API tokens. Discover how thousands of packages, including critical Python packages, have adopted trusted publishing to enhance security and auditability in the Python ecosystem. Delve into a two-part discussion: first, examine the high-level overview of trusted publishing, its use of ephemeral OpenID Connect credentials, and its security advantages over traditional authentication methods. Then, dive into the technical details of PyPI's implementation, addressing challenges with OIDC, multiple identity provider support, threat model considerations, and potential future integrations with code-signing schemes like Sigstore.
Syllabus
Trusted Publishing: Lessons from PyPI - William Woodruff, Trail of Bits
Taught by
OpenSSF
Related Courses
Project Zen - Improving Apache Spark for Python UsersDatabricks via YouTube Your Step by Step Guide on Python Libraries Development
Prodramp via YouTube Python Unit Testing and Package Submission - Build with Python 5
Samuel Chan via YouTube Building and Publishing a Python Package - How to Distribute on PyPI
Samuel Chan via YouTube Secure Python Packaging and Release Using Continuous Deployment
Linux Foundation via YouTube