Bernát GáborMar 12
Wrote down everything I wish I knew earlier about Python supply chain security. Hash pinning, pip-audit, SBOMs, trusted publishing — the whole thing. Enjoy 🐍🔒https://bernat.tech/posts/securing-python-supply-chain/
Defense in Depth: A Practical Guide to Python Supply Chain Security

A comprehensive guide to securing your Python dependencies from ingestion to deployment, covering linting, pinning, vulnerability scanning, SBOMs, and attestations

Bernát Gábor - Engineering & Open Source
Show threadSnoopJ

@gaborbernat @cxiao great write-up! perhaps also worth pointing out in the time-based defense section that pip v26 introduces `--uploaded-prior-to` which serves the same purpose as `uv`'s `--exclude-newer` as far as I know (although both are just one layer, and one that relies on the remote package repository not to lie)

Thanks for collating all this, happily sharing with my colleagues :)

Mar 13 at 3:11pmWeb
Show threadBernát GáborMar 16
@SnoopJ @cxiao thanks for calling this out, added it https://github.com/gaborbernat/bernat-tech/commit/4d1f94f1a5d10f9412574169a1ba4489438f2c4a