Brett Cannon2d ago

RE: https://infosec.exchange/@dangoodin/116285175398594132

Notice how the compromised releases were directly uploaded. This is why `pylock.toml` includes attestation data and trusted publishing is important. If the project used trusted publishing then their the lack of attestation data could have been noticed in a diff of the lock file as it would have suddenly disappeared (which is also why `pylock.toml` was designed to be human-readable).

Show threadSeth Larson

@brettcannon Can't tell you how often I'm bothered by a lock file being marked as "generated" or "too long to be human readable" on code review platforms. If we're not looking at lock files... how do we know what code is running??

Human readability of pylock.toml isπŸ‘Œ

Mar 24 at 5:34pmWeb
Show threadTamir Bahar2d ago
@sethmlarson @brettcannon I'll admit until now I've only used lockfiles to avoid annoying CI failures. I have some reading to do now...
Show threadSeth Larson2d ago
@tmr232 @brettcannon Reproducibility and security go hand in hand! 🀝
Show threadTamir Bahar2d ago

@sethmlarson @brettcannon any recommendations on how to use those attestations in production? I found the format docs, but I'm not sure what to do with the data without supporting tooling (installers or index mirrors that block installing if the data goes missing?)

That said, I'll start reviewing lockfiles more carefully.

Show threadBrett Cannon1d ago
@tmr232 @sethmlarson Tooling obviously makes it way more useful. But for a PR review there's 2 things. One is if you know a project uses trusted publishing then their should be attestation data. Two, if the attestation data suddenly disappears or changes in an odd way, be wary and check if the project changed something intentionally.