PSF has published a Request for Information seeking software developers to add these features to Warehouse:
- Verifiable cryptographic signing of artifacts (PEP 458/TUF or similar)
- Technical infrastructure and methods for automated detection of malicious package uploads
We’d like for potential contractors & other experts to keep discussion at the Q4 RFI Discourse category, especially on these questions:
- What methods should we implement to detect malicious content?
- PEPs 458 and 480 offer different levels of security; which (if either) should we implement? Which one has more appropriate operational efficacy? Should we use TUF (The Update Framework) or another approach?
Please comment by September 18th. That’s when the RFI ends.
Then, the Request for Proposals period will be September 23-October 16. Then we aim to start work in December. (Timeline details are in RFI.)
(repeating from Prerequisites & vetoes -- improving packaging security since someone mentioned missing it there)