Description
One of the most powerful parts of Python lies not within the language itself, but within the robust ecosystem of open-source Python packages available to use along with it. The Python Package Index, the canonical repository for Python code, hosts nearly 300,000 different projects. However, integrating software from so many third-parties comes at a cost: how can we be sure it's secure?
In this talk, we'll explore the common Python software supply chain, various ways in which such a supply chain can be attacked, as well as protected. We'll examine some tools and methodologies that help improve supply-chain security, and discuss the challenges and benefits these tools provide. Finally, we'll look at what fundamental improvements we can make to the overall ecosystem.