←back to thread

PyPI now supports digital attestations

(blog.pypi.org)
218 points miketheman | 4 comments | 14 Nov 24 14:25 UTC | HN request time: 0.202s | source
Show context
belval ◴[14 Nov 24 16:05 UTC] No.42137562[source]
I have a bit of uneasiness about how this is heavily pushing GitHub actions as the correct way to publish to PyPI. I had to check PEP740 to make sure it was not directly supported by Microsoft.

> The generation and publication of attestations happens by default, and no changes are necessary for projects that meet all of these conditions: publish from GitHub Actions; via Trusted Publishing; and use the pypa/gh-action-pypi-publish action to publish.

If you then click on "The manual way" it adds a big disclaimer:

> STOP! You probably don't need this section; it exists only to provide some internal details about how attestation generation and uploading work. If you're an ordinary user, it is strongly recommended that you use one of the official workflows described above.

Where the only official workflow is "Use GitHub Actions".

I guess I am an idealist but as a maintainer this falls short of my expectations for the openness of Python and PyPI.

replies(9): >>42137628 #>>42137831 #>>42138035 #>>42138967 #>>42140525 #>>42140881 #>>42142188 #>>42144001 #>>42144423 #
woodruffw ◴[14 Nov 24 16:12 UTC] No.42137628[source]
> Where the only official workflow is "Use GitHub Actions".

The standard behind this (PEP 740) supports anything that can be used with Trusted Publishing[1]. That includes GitLab, Google Cloud, ActiveState, and can include any other OIDC IdP if people make a good case for including it.

It's not tied to Microsoft or GitHub in any particular way. The only reason it emphasizes GitHub Actions is because that's where the overwhelming majority of automatic publishing traffic comes from, and because it follows a similar enablement pattern as Trusted Publishing did (where we did GitHub first, followed by GitLab and other providers).

[1]: https://docs.pypi.org/trusted-publishers/

replies(6): >>42137658 #>>42137713 #>>42139209 #>>42140207 #>>42140433 #>>42143213 #
1. zahlman ◴[15 Nov 24 01:46 UTC] No.42143213[source]
"Ordinary user" here.

It comes across like the goal of this system is to prove to my users a) who I am; b) that I am working in cooperation with some legitimate big business. I don't understand why I should want to prove such things, nor why it's desirable for b) to even be true, nor why my users should particularly care about a) at all, whether I can prove it or not.

I think my users should only care that the actual contents of the sdist match, and the built contents of the wheel correspond to, the source available at the location described in the README.

Yes, byte-for-byte reproducible builds would be a problem, for those who don't develop pure Python. Part of why sdists exist is so that people who can't trust the wheel, like distro maintainers, can build things themselves. And really - why would a distro maintainer take I take "I can cryptographically prove the source came from zahlman, and trust me, this wheel corresponds to the source" from $big_company any more seriously than "trust me, this wheel corresponds to the source" directly from me?

If I have to route my code through one of these companies ("Don't worry, you can work with Google instead!" is not a good response to people who don't want to work with Microsoft) to gain a compliance checkmark, and figure out how someone else's CI system works (for many years it was perfectly possible for me to write thousands of lines of code and never even have an awareness that there is such a thing as CI) so that I can actually use the publishing system, and learn what things like "OIDC IdP" are so that I can talk to the people in charge...

... then I might as well learn the internal details of how it works.

And, in fact, if those people are suggesting that I shouldn't worry about such details, I count that as a red flag.

I thought open source was about transparency.

replies(3): >>42144451 #>>42145000 #>>42147341 #
2. solatic ◴[15 Nov 24 06:44 UTC] No.42144451[source]
There's two alternate visions: anybody can work with anybody they trust, and Only BigCo Can Protect You.

We know the first falls apart because the Web of Trust fell apart. When the UI asks people "hey, this is new, here's the fingerprint, do you trust it?", nobody actually conducts review, they just mindlessly click "yes" and move on. Very, very, very few people will actually conduct full review of all changes. Even massive organizations that want to lie to themselves that they review the changes, end up just outsourcing the responsibility to someone who is willing to legally accept the risk then they go ahead and just mindlessly click "yes" anyway. There are just too many changes to keep track of and too many ways to obscure malicious code.

We know the second falls apart because human beings are both the inevitable and ultimate weakest link in even the robustest security architectures. Human beings will be compromised and the blast radius on these highly centralized architectures will be immense.

Pick your poison.

3. dogleash ◴[15 Nov 24 08:42 UTC] No.42145000[source]
> Part of why sdists exist is so that people who can't trust the wheel, like distro maintainers, can build things themselves.

Some might even expect pypi to build everything going into it's repo similar to a distro building for it's repos. As far as I can tell, all this 'attestation' is just pypi making microsoft pay for the compute time with extra steps.

4. woodruffw ◴[15 Nov 24 14:43 UTC] No.42147341[source]
> And, in fact, if those people are suggesting that I shouldn't worry about such details, I count that as a red flag.

Nobody is suggesting that. There's an annotation on the internals documentation to make sure that people land on the happy path when it makes sense for them. If you want to learn about the internals of how this works, I heartily encourage you to. I'd even be happy to discuss it over a call, or chat, or any other medium you'd like: none of this is intended to be cloak-and-dagger.

(You can reach this conclusion abductively: if any of this was intended to be opaque, why would we write a public standard, or public documentation, or a bunch of high-profile public announcements for it?)