CERN’s software environment is built on thousands of interconnected tools and libraries that need to be reliable, consistent, and secure. To manage this complexity, CERN uses a private Python package manager designed to give developers controlled access to external code while maintaining internal governance and stability.

In this talk, I’ll give an overview of how this system works and how it fits into CERN’s broader technical network, a segregated infrastructure that keeps critical systems isolated from the public Internet. I’ll also cover some of the security challenges that come with maintaining such an environment, including dependency confusion attacks, configuration risks, and the balance between monitoring and user privacy.

Finally, I’ll share insights from a recent security assessment, comparing the system to public repositories like PyPI. The goal is to show how organizations can strengthen their software supply chains, and what lessons we can take from CERN’s approach to managing security at scale.

Francesco Pinzauti