PyPI now supports digital attestations

(blog.pypi.org)

218 points miketheman | 1 comments | 14 Nov 24 14:25 UTC | HN request time: 0.211s | source

Show context

belval ◴[14 Nov 24 16:05 UTC] No.42137562[source]▶

I have a bit of uneasiness about how this is heavily pushing GitHub actions as the correct way to publish to PyPI. I had to check PEP740 to make sure it was not directly supported by Microsoft.

> The generation and publication of attestations happens by default, and no changes are necessary for projects that meet all of these conditions: publish from GitHub Actions; via Trusted Publishing; and use the pypa/gh-action-pypi-publish action to publish.

If you then click on "The manual way" it adds a big disclaimer:

> STOP! You probably don't need this section; it exists only to provide some internal details about how attestation generation and uploading work. If you're an ordinary user, it is strongly recommended that you use one of the official workflows described above.

Where the only official workflow is "Use GitHub Actions".

I guess I am an idealist but as a maintainer this falls short of my expectations for the openness of Python and PyPI.

replies(9): >>42137628 #>>42137831 #>>42138035 #>>42138967 #>>42140525 #>>42140881 #>>42142188 #>>42144001 #>>42144423 #

LtWorf ◴[14 Nov 24 20:32 UTC] No.42140881[source]▶

>>42137562 #

Funny how I have a talk about the evolution of pypi's security at the upcoming minidebconf this weekend.

I guess I'll have to update my slides :D

But well as a debian developer my advice is to just use debian and completely ignore pypi, so I might be slightly biased.

replies(2): >>42143412 #>>42143566 #

1. zahlman ◴[15 Nov 24 02:51 UTC] No.42143566[source]▶

>>42140881 #

Does a .deb file even allow for installing for an arbitrary Python (i.e. not the system installation)? Am I supposed to find them through Apt and hope the Debian version of the package has a `python3` prefix on the name? Is that going to help if there are dependencies outside the Apt system?

↑