PyPI now supports digital attestations

(blog.pypi.org)

218 points miketheman | 2 comments | 14 Nov 24 14:25 UTC | HN request time: 0.405s | source

Show context

guappa ◴[15 Nov 24 08:17 UTC] No.42144884[source]▶

>>42136375 (OP) #

They even got some public money from Germany's sovreign tech fund to couple uploads with gigantic USA companies.

This is probably deserving a criminal investigation since it appears the funds were probably misused?

Well done guys! Good job!

replies(2): >>42145501 #>>42148242 #

1. kps ◴[15 Nov 24 16:15 UTC] No.42148242[source]▶

>>42144884 #

You can count me among those that are suspicious that this is a frog-boiling step, but it doesn't appear to me that STF money went to this, from https://www.sovereign.tech/tech/python-package-index#what-ar...

Maybe there is a case to be made for STF to fund making Codeberg (a German-headquartered organization) one of the PyPI trusted hosts. If Codeberg were supported, that would go a long way to addressing fears. And conversely, if Codeberg can't meet PyPI's bar, that suggests complete commercial capture.

replies(1): >>42183109 #

2. guappa ◴[19 Nov 24 13:20 UTC] No.42183109[source]▶

>>42148242 (TP) #

Yes I agree. It'd be nice if codeberg got some funding and could be used to upload stuff in the same way github can.

Then pypi wouldn't just me a means to the end of keeping people on github rather than going to open platforms.

↑