Open Source Summit Europe 2022

Community package repositories (like PyPI or NPM) struggle to keep up with modern security demands. In this talk Jussi will cover how the repositories - and the security expectations - have changed over time. He is going to focus on the obstacles: what is preventing faster integration of modern security practices? Are community repositories more problematic than software projects in general? Some practical examples will be covered, most importantly PyPIs goal of integrating The Update Framework (TUF) into their workflows: why has even a more minimal integration taken so long and what is preventing PyPI from leveraging TUF fully, when the potential advantages seem so obvious? Finally a collaboration project, Repository Playground, is proposed: A way for the various community repository projects and the independent security projects, such as the TUF community or the SLSA community, to work together to define Best Practices and workflows in a way that goes further than white papers. https://github.com/jku/repository-playground