Python Software Foundation has published a Request for Information seeking software developers to add these features to Warehouse (PyPI): * Verifiable cryptographic signing of artifacts (PEP 458/TUF or simiilar) * Technical infrastructure and methods for automated detection of malicious package uploads More info: https://github.com/python/request-for/blob/master/2019-Q4-PyPI/RFI.md We'd like for potential contractors & other experts to keep discussion at the Discourse forum https://discuss.python.org/c/python-software-foundation/pypi-q4-rfi , especially on these questions: • What methods should we implement to detect malicious content? https://discuss.python.org/t/what-methods-should-we-implement-to-detect-mali... and * PEPs 458 and 480 offer different levels of security; which (if either) should we implement? Which one has more appropriate operational efficacy? Should we use TUF (The Update Framework) or another approach? https://discuss.python.org/t/which-cryptographic-signing-approach/2241 and more generally: * What should community acceptance criteria be? * How feasible is it to implement this on PyPI? * What features do PyPI administrators need to make use of these features in the future? * What work would the developer need to do to make these features more maintainable by future Warehouse maintainers? -- Sumana Harihareswara PyPI project manager Changeset Consulting https://changeset.nyc