PyPI Security Q4 2019 Request for Proposals period opens.

The Python Software Foundation Packaging Working Group has received a grant from Facebook Research to implement advanced security features for PyPI. These features include cryptographic signing of uploaded artifacts and the infrastructure necessary to implement automated detection of malicious files uploaded to the index.


The Python Package Index (PyPI) is a foundational component of the Python ecosystem and broader computer software and technology landscape. This project aims to improve the security and accessibility of PyPI for all users worldwide, whether they are direct users, like project maintainers and pip installers, or indirect users. The impact of this work will be highly visible and improve crucial features of the service.


We plan to begin the project in Quarter 4 of 2019. Because of the size of the project, funding has been allocated to secure one or more contractors to complete the development, testing, verification, and assist in the rollout of necessary features.


Timeline









DateMilestone
September 25Request for Proposal period opened.
October 21Request for Proposal period closes.
October 29Date proposals will have received a decision.
December 2Contract work commences.


What is the Request for Proposals period?



A Request for Proposal (RFP) is a process intended to allow us (The Python Software Foundation) to collect proposals from potential contractors and select contractor(s) best suited to fulfill the specified work.


After the RFP period closes we will evaluate the received proposals based on the evaluation criteria, seek clarification from proposers as necessary, and select one or more contractors to complete the work specified in the scope.


The Request for Proposals period opens today, September 25th, 2019, and is scheduled to close October 21, 2019 AoE.


How do I submit a proposal?



First, please read the full contents of the Request for Proposals here!


You'll find the instructions for submissionevaluation criteria, as well as scope of the project there.