Python is one of the programming languages that has a huge open-source supply chain. There are over 400,000 Python packages on Python Package Index (PyPI) and many more on other registries like conda-forge, mostly for scientific libraries. Making sure this and the wider Python ecosystem are secure is a huge job and requires consistent contributions.

Thanks to OpenSSF’s Alpha-Omega project and AWS, we now have a PSF Security Developer-in-Residence and PyPI Safety & Security Engineer whose responsibility includes a security audit of the PyPI codebase and infrastructure, improving security practices, and establishing metrics on security posture to show the impact.

In this talk, Cheuk will go over the work that has been done by the PSF security team and what the best practices for Python library maintainers and users are.