←back to thread

PyPI now supports digital attestations

(blog.pypi.org)
218 points miketheman | 1 comments | 14 Nov 24 14:25 UTC | HN request time: 0.21s | source
Show context
belval ◴[14 Nov 24 16:05 UTC] No.42137562[source]
I have a bit of uneasiness about how this is heavily pushing GitHub actions as the correct way to publish to PyPI. I had to check PEP740 to make sure it was not directly supported by Microsoft.

> The generation and publication of attestations happens by default, and no changes are necessary for projects that meet all of these conditions: publish from GitHub Actions; via Trusted Publishing; and use the pypa/gh-action-pypi-publish action to publish.

If you then click on "The manual way" it adds a big disclaimer:

> STOP! You probably don't need this section; it exists only to provide some internal details about how attestation generation and uploading work. If you're an ordinary user, it is strongly recommended that you use one of the official workflows described above.

Where the only official workflow is "Use GitHub Actions".

I guess I am an idealist but as a maintainer this falls short of my expectations for the openness of Python and PyPI.

replies(9): >>42137628 #>>42137831 #>>42138035 #>>42138967 #>>42140525 #>>42140881 #>>42142188 #>>42144001 #>>42144423 #
woodruffw ◴[14 Nov 24 16:12 UTC] No.42137628[source]
> Where the only official workflow is "Use GitHub Actions".

The standard behind this (PEP 740) supports anything that can be used with Trusted Publishing[1]. That includes GitLab, Google Cloud, ActiveState, and can include any other OIDC IdP if people make a good case for including it.

It's not tied to Microsoft or GitHub in any particular way. The only reason it emphasizes GitHub Actions is because that's where the overwhelming majority of automatic publishing traffic comes from, and because it follows a similar enablement pattern as Trusted Publishing did (where we did GitHub first, followed by GitLab and other providers).

[1]: https://docs.pypi.org/trusted-publishers/

replies(6): >>42137658 #>>42137713 #>>42139209 #>>42140207 #>>42140433 #>>42143213 #
freeone3000 ◴[14 Nov 24 19:34 UTC] No.42140207[source]
It requires an OIDC IdP, though… with PGP, I can verify that my identity is constant, but now, I’m reliant on some chosen third-party. And it has to keep being the same one, to boot! I don’t like the lock-in this causes, and I definitely don’t like the possibility of my right to publish being revoked by a third party.
replies(1): >>42141767 #
beng-nl ◴[14 Nov 24 22:12 UTC] No.42141767[source]
I’m only now learning about what OIDC IdP is (for those like me: openid connect identity provider). But from my reading, a self hosted gitlab can function as an oidc idp.

That would be enough control, right?

replies(1): >>42142276 #
chippiewill ◴[14 Nov 24 23:14 UTC] No.42142276[source]
You can't use a self-hosted Gitlab because you can only use a "trusted publisher".

There's no hard technical reason for that. It's mostly that PyPI only want to trust certain issuers who they think will look after their signing keys responsibly.

replies(2): >>42143624 #>>42143918 #
intelVISA ◴[15 Nov 24 03:05 UTC] No.42143624[source]
Sounds like PyPI have been corrupted? Hopefully The Foundation can remind them of their mission.
replies(1): >>42144556 #
1. guappa ◴[15 Nov 24 07:05 UTC] No.42144556[source]
Good luck with that…