Great question @kknechtel, “software supply chain security” is a pretty wide topic. The visualization that comes to mind first for software supply chain security is the one created by SLSA which covers a lot of what you mentioned by showing different threats to the software supply chain. There’s even more beyond what is captured in the graph like individual security, access control (who can do what), vulnerability management and disclosure.
In general I’m looking to make improvements that will last beyond my time in the role, so security process improvements, project planning, advocating for adoptable security practices, reducing the burden on volunteers doing security work, providing more visibility into the Python ecosystem are all top-of-mind for me.
There’s a separate role being filled by the PSF for a PyPI Security and Safety Engineer who will work on preventing the distribution of malware on PyPI and other safety mechanisms for PyPI specifically. Look forward to more information on that on the PyPI blog.
Hope this clarifies more about the role!