Although a compromise of an entire open-source software package repository would be deadly serious, and we have evermore tools to try to address different parts of the story, the problem is that simply adding signatures to tamper-evident logs is not enough: given a software package, how can we tell why we are supposed to trust it in the first place? Who or what was supposed to sign the package? (This problem is reminiscent of the PGP/GPG Web of Trust.) Was the package tested for quality? Was it built on a trusted build platform? Who wrote the source code? Did anyone review the code? These questions and answers may be as varied as the hundreds of thousands of packages on such repositories. How would consumers such as package managers know which rules of the game to apply for which packages?

To solve this problem, we explain how we can use three foundational, open-source supply chain security frameworks called in-toto, The Update Framework (TUF), and Sigstore. If using in-toto is like Pfizer or Moderna vouching for exactly how a vaccine was made and what went into them, then TUF is like the FDA telling you why you should trust Pfizer and Moderna for the Comirnaty and Spikevax vaccines respectively in the first place or continue to do so, while Sigstore is like the Library of Congress permanently recording the history of every single vaccine vial. We will use PyPI as a motivating example, and explain how the same ideas and techniques can be used to secure other package repositories such as Cargo, Homebrew, NPM, and RubyGems.