JACoW is a publisher in Geneva, Switzerland that publishes the proceedings of accelerator conferences held around the world by an international collaboration of editors.
@inproceedings{sinkarenko:icalepcs2023-thpdp067,
author = {I. Sinkarenko and B. Copy and P.J. Elson and F. Iannaccone and W.F. Koorn},
title = {{Towards a Flexible and Secure Python Package Repository Service}},
% booktitle = {Proc. ICALEPCS'23},
booktitle = {Proc. 19th Int. Conf. Accel. Large Exp. Phys. Control Syst. (ICALEPCS'23)},
eventdate = {2023-10-09/2023-10-13},
pages = {1489--1493},
paper = {THPDP067},
language = {english},
keywords = {software, controls, operation, network, interface},
venue = {Cape Town, South Africa},
series = {International Conference on Accelerator and Large Experimental Physics Control Systems},
number = {19},
publisher = {JACoW Publishing, Geneva, Switzerland},
month = {02},
year = {2024},
issn = {2226-0358},
isbn = {978-3-95450-238-7},
doi = {10.18429/JACoW-ICALEPCS2023-THPDP067},
url = {https://jacow.org/icalepcs2023/papers/thpdp067.pdf},
abstract = {{The use of 3rd-party and internal software packages has become a crucial part of modern software development. Not only does it enable faster development, but it also facilitates sharing of common components, which is often necessary for ensuring correctness and robustness of developed software. To enable this workflow, a package repository is needed to store internal packages and provide a proxy to 3rd-party repository services. This is particularly important for systems that operate in constrained networks, as is common for accelerator control systems. Despite its benefits, installing arbitrary software from a 3rd-party package repository can pose security and operational risks. Therefore, it is crucial to implement effective security measures, such as usage logging, package moderation and security scanning. However, experience at CERN has shown off-the-shelf tools for running a flexible repository service for Python packages not to be satisfactory. For instance, the dependency confusion attack first published in 2021 has still not been fully addressed by the main open-source repository services. An in-house development was conducted to address this, using a modular approach to building a Python package repository that enables the creation of a powerful and security-friendly repository service using small components. This paper describes the components that exist, demonstrates their capabilities within CERN and discusses future plans. The solution is not CERN-specific and is likely to be relevant to other institutes facing comparable challenges. }},
}