The goal of pypi-transparency is very similar to the underlying motivation for the Golang team’s Checksum Database (also built with Trillian). Even though, PyPi provides hashes of the content of packages it hosts, the developer must trust that PyPi’s data is consistent. One ambition with pypi-transparency is to provide a companion, tamperproof log of PyPi package files in order to provide a double-check of these hashes. It is important to understand what this does (and does not) provide.

Now that I’ve (p)retired from Google, I’m starting this blog and will no longer post stories to Medium. As I concluded my time at Google, I wrapped up work on a Trillian prototype. As it remains Google’s IP, I’m not permitted to discuss it here. I’ve begun work on another Trillian prototype for Python package transparency, informally pypi-transparency.