Chainguard Libraries for Python

The June 2025 Learning Lab with Patrick Smyth covers Chainguard Libraries for Python. Open source libraries help you move fast, but pulling in external dependencies can introduce supply chain risk. This session covers fundamental concepts of Chainguard Libraries, package managers and dependencies, PyPI and build tools, configuring repository managers, and running example application builds.

Sections

• 0:00 Introduction and welcome
• 0:54 Patrick Smyth introduction and background
• 1:47 Chainguard! Who are we?
• 2:47 Chainguard Containers and the “boss assigned me to fix Ubuntu” problem
• 4:12 Introduction to Chainguard Libraries for Python
• 5:04 Python libraries fundamentals - modules, packages, and libraries
• 6:34 The dependency graph problem and modern ecosystem challenges
• 8:57 PyPI (Python Package Index) overview and infrastructure
• 10:53 Supply chain attacks on the rise and threats to the Python ecosystem
• 11:39 Supply chain meme calendar - an attack every month this year
• 13:54 Anatomy of supply chain attacks and attack vectors
• 17:43 Chainguard Libraries!
• 19:34 Chainguard Factory overview and operational security
• 21:33 Case study: Ultralytics YOLO December 2024 attack
• 23:22 Technical caveats and requirements for Chainguard Libraries
• 25:06 Demo introduction and Flask project overview
• 27:48 Accessing demo materials on Chainguard Academy
• 29:00 Demo: Cloning and setting up the Flask project
• 31:17 Demo: Creating virtual environment and installing from PyPI
• 33:06 Demo: Running Flask application and testing with libCheck tool
• 34:28 Demo: Configuring pip for Chainguard Libraries via repository manager
• 36:19 Demo: Installing dependencies from Chainguard Libraries
• 37:02 Demo: Verification with libCheck
• 38:22 Demo: Containerizing the demo application
• 40:25 Demo: Building and running containerized Flask application
• 41:41 Additional configuration options and documentation resources
• 42:19 Q&A: Repository manager setup and configuration
• 43:26 Q&A: Architecture support and glibc requirements
• 44:34 Q&A: libCheck tool open source plans and detailed output
• 46:05 Q&A: CVE scanning with Grype and vulnerability management

Demo

In the demo, Patrick switches a Flask application to use Chainguard Libraries for Python, sourcing dependencies from a repository manager (Artifactory) set up to pull first from the Chainguard Libraries for Python index with a fallback to the Python Package Index (PyPI).

Demo Flask Application

Patrick demonstrates two approaches. First, he modifies the ~/.pip/pip.conf file to pull from the virtual repository set up in the repository manager:

[global]
index-url = <repository-url>

After changing this global setting, Patrick installs and runs the application from a virtual environment, then uses Chainguard’s libCheck tool to test the provenance of the packages in the virtual environment. Chainguard is in the process of releasing this tool under an open source license.

Patrick also updates the demo application’s requirements.txt file and build and run the application from a Chainguard Container.

Resource Links

• Slide deck
• Chainguard Libraries
• Chainguard Libraries documentation
• Chainguard Libraries for Python documentation
• Python global configuration
• Python build configuration
• Python Package Index (PyPI)
• pip documentation
• Python Packaging User Guide
• Cheese Must Stand: Defending the Python Library Ecosystem in 2025 at PyCon 2025