Wednesday, August 28, 2019

PyPI Security Q4 2019 Request for Information period opens.

The Python Software Foundation Packaging Working Group has received funding from Facebook research to develop and deploy of enhanced security features to PyPI.
PyPI is a foundational component of the Python ecosystem and broader computer software and technology landscape. This project aims to improve the security and accessibility of PyPI for all users worldwide, whether they are direct users like project maintainers and pip installers or indirect users. The impact of this work will be highly visible and improve crucial features of the service.

Specifically, this project aims to implement verifiable cryptographic signing of artifacts and infrastructure to support automated detection of malicious uploads to the index.
We plan to begin the project in December 2019. Because of the size of the project, funding has been allocated to secure one or more contractors to complete the development, testing, verification, and assist in the rollout of necessary features.
Register Interest
To receive notification when our Request for Information period closes and the Request for Proposals period opens, please register your interest here.

What is the Request for Information period?

A Request for Information (RFI) is a process intended to allow us (The Python Software Foundation) and potential contractors to openly share information to improve the scope and definition of the project at hand. Also, we encourage stakeholders in the community with expertise in the project areas to contribute their viewpoints on open questions for the scope of the work.
We hope that it will help potential contractors better understand the work to be completed and develop better specified proposals. Additionally we have designed the RFI with an open nature in order to expose the project to multiple perspectives and help shape the direction for some choices in the project.
The Request for Information period opens today, August 28, 2019, and is scheduled to close September 18, 2019.
After the RFI period closes, we will use the results of the process to prepare and open a Request for Proposals to solicit proposals from contractors to complete the work.

More Information

The full version of our Request for Information document can be found here.

Participate!

Our RFI will be conducted on the Python Community Discussion Forum. Participants will need to create an account in order to propose new topics of discussion or respond to existing topics.
All discussions will remain public and available for review by potential proposal authors who do not wish to or cannot create an account to participate directly.