On October 30 at 11:15 AM, the Python Software Foundation live-streamed a special ceremony that marked the first practical steps in deploying The Update Framework (TUF) to The Python Package Index (PyPI).  With this ceremony, a key was generated that bootstraps the TUF secure software update technology—a  Linux Foundation project overseen by NYU Tandon Associate Professor Justin Cappos—to the Python community’s repository for finding, sharing and uploading software.

Conducted by Python Software Foundation Director of Infrastructure Ernest W. Durbin III, and Trail of Bits Senior Security Engineer William Woodruff, the key generation and signing was executed in keeping with the runbook developed at https://github.com/psf/psf-tuf-runbook. The procedures document how to implement the security policies for offline keys defined in PEP 458 – Secure PyPI downloads with signed repository metadata. To ensure transparency, the key generation and signing was live streamed on the Python Software Foundation’s YouTube channel.

The signing ceremony was covered by a number of publications, including Hacker News and Full-stack Feed, can still be screened on the YouTube link posted above.