September 13-16, 2022
Dublin, Ireland + Virtual
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit Europe 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Irish Standard Time (UTC +1). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Back To Schedule
Tuesday, September 13 • 14:10 - 15:45
Secure Python Packaging & Release Using Continuous Deployment - Martin Vrachev VMware & Jussi Kukkonen, Google

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Python open source projects package release processes are often ad hoc and not particularly secure: As an example, a compromise of a maintainer's account on PyPI typically means the attacker can upload as much malware as they want. After a release, it's also impossible to verify if the release content is correct or if it matches a specific source release. This tutorial will demonstrate how to use common Continuous Deployment systems (like GitHub and Gitlab) to release a Python project securely and easily. Some aspects that will be covered: - What are the security improvements we are aiming for? - What do we need to know about GitHub/Gitlab security features? - Build reproducibility – how and why? - How to setup automated deployment to PyPI using GitHub/Gitlab? - Signing and verifying releases using Sigstore.

avatar for Martin Vrachev

Martin Vrachev

Open Source Software Engineer, VMware
Martin Vrachev is an Open Source Engineer who has contributed to multiple Open Source security projects solving a variety of problems. His latest work is focused on secure software supply chain and more precisely on contributions towards Python-TUF. Martin's past contributions are... Read More →
avatar for Jussi Kukkonen

Jussi Kukkonen

Open Source Software Engineer, Google
Jussi is an experienced developer with a long Open Source background and an interest on build automation and supply chain security. He currently works on various upstream projects related to software supply chain security and is a maintainer of Python-TUF, the reference implementation... Read More →

Tuesday September 13, 2022 14:10 - 15:45 IST
Liffey B Part 2 (Level 1)
  SupplyChainSecurityCon, Countering Build Threats