Alyssa Coghlan
Bernát GáborWrote down everything I wish I knew earlier about Python supply chain security. Hash pinning, pip-audit, SBOMs, trusted publishing — the whole thing. Enjoy 🐍🔒https://bernat.tech/posts/securing-python-supply-chain/
shellsharks@gaborbernat @cxiao Uhhhh.. yes please! Thanks for sharing 🐍
SnoopJ@gaborbernat @cxiao great write-up! perhaps also worth pointing out in the time-based defense section that pip v26 introduces `--uploaded-prior-to` which serves the same purpose as `uv`'s `--exclude-newer` as far as I know (although both are just one layer, and one that relies on the remote package repository not to lie)
Thanks for collating all this, happily sharing with my colleagues :)
@SnoopJ @cxiao thanks for calling this out, added it https://github.com/gaborbernat/bernat-tech/commit/4d1f94f1a5d10f9412574169a1ba4489438f2c4a
mhoye@gaborbernat @andrewnez this may be relevant to your interests
Andrew Nesbitt@mhoye @gaborbernat oh wow this is amazing
John Maxwell
Ned Batchelder@gaborbernat I really appreciate you doing this!
But?:
pip-audit: error: unrecognized arguments: --requirements
But?:
pip-audit: error: unrecognized arguments: --requirements
@nedbat let me check
@nedbat thanks for catching this, fixed it now (was an extra s there somehow) https://github.com/gaborbernat/bernat-tech/commit/4d1f94f1a5d10f9412574169a1ba4489438f2c4a
📝 docs(blog): fix pip-audit flag, add pylock.toml and pip v26 · gaborbernat/bernat-tech@4d1f94f
Fix --requirements (invalid) to --requirement across all pip-audit examples. Add pip v26 --uploaded-prior-to alongside uv --exclude-newer for time-based filtering. Add PEP 751 pylock.toml as the st...
Edgar Ramírez Mondragón 🦗@gaborbernat thank you so much for sharing! This will definitely help me convince some folks to set up an internal package mirror 😁