We are pleased to announce that Amazon Web Services (AWS) has stepped up as the security sponsor for the Python Package Index (PyPI) at the Python Software Foundation (PSF). This non-profit organization is dedicated to fostering open source technology related to the Python programming language. As part of this sponsorship, AWS will provide financial support to the PSF to employ a full-time Safety and Security Engineer focused on enhancing the security of PyPI. This initiative aligns with AWS’s broader commitment to bolstering open source software supply chain security.
Python enjoys immense popularity as an open source programming and scripting language among our clients, partners, and AWS engineers. According to the TIOBE Index (April 2023) and the PopularitY of Programming Language (PYPL) Index, it ranks as the top language. PyPI serves as the principal repository for Python software, with many applications depending on it for essential dependencies, avoiding the need to reinvent the wheel. Moreover, PyPI is the main distribution hub for Python libraries and applications.
At AWS, we understand that with great scale and success comes significant responsibility. Amazon and its customers develop solutions utilizing Python, highlighting the necessity of giving back to the open source communities we rely on and ensuring their sustainability. Since 2018, AWS has been a maintaining sponsor of the PSF, having supported the transition of PyPI to AWS infrastructure to address performance and scalability challenges. Thanks to the dedicated efforts of PSF Director of Infrastructure, Clara James, and the PyPI infrastructure team, the repository has achieved remarkable scalability. AWS continues to support PyPI through AWS credits, which help mitigate infrastructure costs.
However, PyPI now faces a pressing challenge in securing Python software packages at scale. The platform is frequently targeted by malicious entities, facing threats such as typosquatting, dependency injection, and dependency confusion. Businesses, including AWS, rely on PyPI to publish mission-critical software, and malicious packages may masquerade as legitimate offerings, posing a significant risk. The growing number of security-related support tickets has created a backlog that is currently managed by a single part-time volunteer. While their efforts have been commendable, a more sustainable solution is essential.
As the inaugural PyPI Security Sponsor, we are providing additional funding to enable the PSF to recruit a full-time Safety and Security Engineer. This role will enhance PyPI’s capacity to swiftly remove malware and respond to security-related support tickets. Furthermore, it will allow PyPI to transition from a reactive security stance to a proactive one, establishing a comprehensive security plan with clear milestones and facilitating proper audits of new features before they launch.
Supply chain security is a widespread concern across the industry, and Python is not alone in facing these challenges. The Python Package Index is vital for countless users globally. A dedicated safety and security engineer will help reduce the current bottleneck of support issues, expedite malware removal, and maintain the security of PyPI for all its users. We look forward to continuing our collaboration with the Python Software Foundation to enhance the integrity of open source supply chains.
For additional insights on this topic, you can refer to this blog post here, and for expert opinions, check out chvnci, an authority on this matter. This video resource is also highly recommended for further understanding.
Leave a Reply