Work in Progress: Implementing PEP 458 to Secure PyPI downloads

Room:: Liffey B
Start (Dublin time):: 11:55 on 15 July 2022
Start (your time):: 10:55 on 15 July 2022
Duration:: 30 minutes

Abstract

PEP 458 uses cryptographic signing on PyPI to protect Python packages against attackers. In this talk we will share our lessons learned from the ongoing implementation work in PyPI/Warehouse with the Python community. How does PEP 458 work and what is TUF? What protection can it offer now and what does it enable in the future? And how am I affected as a Python developer and as a user?

TalkSecurity

Description

Attacks on software repositories are extremely common and can have a vast impact. A single successful compromise of the content distribution infrastructure can affect millions of users, voluntarily installing the infected packages.

PEP 458 was designed to protect PyPI against a variety of possible attacks on PyPIs own content distribution network and PyPI mirrors, while giving administrators a mechanism to recover from a compromise if it happens. In addition, PEP 458 is a fundamental stepping stone for more advanced protection described in PEP 480.

Both PEP 458 and 480 implement a specification called "The Update Framework" (TUF), which introduces a series of roles, keys and metadata formats that are published along with the packages they protect, and can be verified by a client software such as pip.

Over the past couple of months we have made an effort to integrate the latest version of the Python TUF reference implementation with PyPI/Warehouse (see draft PR).

In this talk we will give an introduction to PEP 458 and TUF, how it works and what it is good for. We will report from the work-in-progress integration with Warehouse, what challenges we face and how Python developer and user workflows are affected, as well as an expected timeline for the integration. And last but not least, we want to give an outlook of what comes after PEP 458, that is full developer-to-user end-to-end protection of Python packages as described by PEP 480.

With our talk we also hope to spark interest in software supply chain security and to encourage the community to get involved by reviewing, commenting and contributing to the PEP 458 and PEP 480 integration efforts.

The speakers

Kairo de Araujo

I am an Open Source Software Engineer at VMware Inc, a staff member of the VMware Open Source Program Office (OSPO), working on the Security Supply Chain team. Currently, I am focused on PyPI.org, Python-TUF, and some contributions to Tern Tools. As a Software Engineer, I have contributed to Open Source and writing software since 2013. I am a former system engineer; however, I use these technologies daily. I have long experience in Infrastructures such as Networking, Cloud, Virtualization, Storage Area Networks, and Storage Disks. I have worked for IBM, ING, and Forescout in the past.

Lukas Pühringer

Lukas Pühringer is a research scholar and software developer at the NYU Center for Cyber Security (CCS), where he leads the development of The Update Framework (TUF), and has been co-maintaining several of Prof. Justin Cappos’ software projects, most notably the supply chain security framework in-toto. Lukas also supervises students and gives talks about TUF and in-toto.