Reminder: comment by Sept. 18th on cryptographic signing & malware detection choices

PSF has published a Request for Information seeking software developers to add these features to Warehouse:

  • Verifiable cryptographic signing of artifacts (PEP 458/TUF or similar)
  • Technical infrastructure and methods for automated detection of malicious package uploads

We’d like for potential contractors & other experts to keep discussion at the Q4 RFI Discourse category, especially on these questions:

Please comment by September 18th. That’s when the RFI ends.

Then, the Request for Proposals period will be September 23-October 16. Then we aim to start work in December. (Timeline details are in RFI.)

(repeating from Prerequisites & vetoes -- improving packaging security since someone mentioned missing it there)


[locking this thread at Sumana’s request, to keep discussion in the linked threads instead of here]