Beyond pip install: Verifiable Python Builds With Fromager
How does Fromager rebuild entire Python dependency trees from source in a network-isolated environment? This deep dive explores how treating dependencies as a verifiable graph — not isolated artifacts — changes everything for enterprise software supply chain security.
When you pip install a package, you're trusting that every binary in the dependency chain was built honestly from the source it claims. For enterprises in regulated industries, that implicit trust is not enough.
Fromager takes a fundamentally different approach to Python packaging. Instead of downloading pre-built wheels and discarding dependency relationships after resolution, it builds a persistent, typed dependency graph that captures every relationship — build-time and run-time — and rebuilds everything from source inside hermetically sealed, network-isolated environments using Linux namespaces.
Fromager is open source: https://github.com/python-wheel-build/from...
#Python #SupplyChainSecurity #SoftwarePackaging #OpenSource