Complex topic.
Some random notes from me.
Yes, hosting your own server or mirror or proxy is a viable solution:
Seems like there are commercial solutions available with curated packages (at least that is what I understood from the descriptions, not endorsement from me):
- https://cloud.google.com/security/products/assured-open-source-software
- Try ActiveState's Open Source Language Automation Platform
- https://www.anaconda.com/
There are some tools you could add to your infrastructure (CI/CD pipelines for example), just to name a few:
As far as I can tell, the major code forges (GitHub, GitLab) have built-in tools and tooling to warn against potential security issues in your code:
There is (was) a proposal to strengthen Python packaging ecosystem against “dependency confusion attacks”: