←back to thread

PyPI now supports digital attestations

(blog.pypi.org)
218 points miketheman | 1 comments | 14 Nov 24 14:25 UTC | HN request time: 0.256s | source
Show context
belval ◴[14 Nov 24 16:05 UTC] No.42137562[source]
I have a bit of uneasiness about how this is heavily pushing GitHub actions as the correct way to publish to PyPI. I had to check PEP740 to make sure it was not directly supported by Microsoft.

> The generation and publication of attestations happens by default, and no changes are necessary for projects that meet all of these conditions: publish from GitHub Actions; via Trusted Publishing; and use the pypa/gh-action-pypi-publish action to publish.

If you then click on "The manual way" it adds a big disclaimer:

> STOP! You probably don't need this section; it exists only to provide some internal details about how attestation generation and uploading work. If you're an ordinary user, it is strongly recommended that you use one of the official workflows described above.

Where the only official workflow is "Use GitHub Actions".

I guess I am an idealist but as a maintainer this falls short of my expectations for the openness of Python and PyPI.

replies(9): >>42137628 #>>42137831 #>>42138035 #>>42138967 #>>42140525 #>>42140881 #>>42142188 #>>42144001 #>>42144423 #
doctorpangloss ◴[14 Nov 24 20:01 UTC] No.42140525[source]
On the one hand, you are totally right, GitHub Actions are the VS Code of automation. People choose them because they are broke, they work well enough, and the average person chooses things based on how it looks. GitHub Actions looks easy, it's cozy, it's comfy, VS Code looks like a code editor, everything has to be cozy and comfy.

On the other hand, considering all of that, you can see why Python would arrive at this design. They are the only other people besides NPM who regularly have supply chain attack problems. They are seemingly completely unopinionated about how to fix their supply chain problems, while being opinionated about the lack of opinions about packaging in general. What is the end goal? Presumably one of the giant media companies, Meta, Google or Microsoft maybe, have to take over the development of runtime and PEP process, but does that even sound good?

replies(1): >>42141248 #
LtWorf ◴[14 Nov 24 21:08 UTC] No.42141248[source]
I think the end goal is to only allow github/google whatever accounts to publish code on Pypi, so importing whatever will be USA-sanctions safe.

The burden to ban russians/koreans/iranians will be on those big companies and pypi will be able to claim they respect the rules without having the resources themselves to ban accounts from sanctioned countries.

So in my opinion, in the future tooling will have some option to check if the software was uploaded via microsoft et al and can be considered unsanctioned in USA.

Or they might just say that's how you upload now and that's it.

replies(2): >>42141438 #>>42141488 #
doctorpangloss ◴[14 Nov 24 21:30 UTC] No.42141438[source]
> so importing whatever will be USA-sanctions safe...

You are talking about guys who can barely figure out how to structure a Python package repository. They are not doing this kind of 4D chess.

And anyway, none of that makes any sense.

replies(1): >>42141521 #
1. LtWorf ◴[14 Nov 24 21:40 UTC] No.42141521[source]
The people paying for this, not them.