PSF Hires PyPI Safety and Security Engineer

PyPI is just one gear in the quite broken Python packaging mess. But I hope it’s a good starting point!

The guy is a chair at the Women's Flat Track Roller Derby Association and previously worked at a cannabis company. Interesting career change.

Please be vendor neutral and don&#x27;t launch something that is GitHub only and centralized and faun over GitHub&#x27;s security. <a href="https:&#x2F;&#x2F;github.com&#x2F;python-poetry&#x2F;poetry&#x2F;issues&#x2F;7940#issuecomment-1551713573">https:&#x2F;&#x2F;github.com&#x2F;python-poetry&#x2F;poetry&#x2F;issues&#x2F;7940#issuecom...</a> <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=35646436">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=35646436</a>

I wrote a few scripts years ago to automate the creation of packages, name them something similar to a popular project (typo squatting), and then verify them by creating a new pypi user with a new email address. The payload was just an http request to a server I ran.<p>Submitted this to pycon, and I let the PSF know. Neither were interested. Haven’t trusted a single Python package since.

My wishlist: a mirror metadata service like Yarn to force pypi to innovate more. Pip is slow because it doesn&#x27;t store the dependency metadata and has to download all upstream dependencies during the resolution phase. They were too busy wasting time on minor issues like domain squatting than core dependency resolution concerns. I also want to see Python support simultaneously conflicting diamond dependencies like Npm and Cargo. Python doesn&#x27;t even support shading. One old dependency and your whole build breaks, with no recourse aside from forking upstream.

Role mentions security. Candidate shows no experience with security.<p>It would&#x27;ve been weird... but then you remember it&#x27;s Python. It&#x27;s by amateurs for amateurs. Well, god speed and god bless. Who knows, maybe despite the counter-indications something good will come out of it.

in the name of supply chain security, i just want verified package signatures (cosign, not the extant unused gpg), the new passwordless publication is good step towards (get humans and static credentials out of pushing assets). actually one more minor, support for poetry in pip-audit.. <a href="https:&#x2F;&#x2F;github.com&#x2F;pypa&#x2F;pip-audit&#x2F;issues&#x2F;84">https:&#x2F;&#x2F;github.com&#x2F;pypa&#x2F;pip-audit&#x2F;issues&#x2F;84</a>