Brett Cannon1d ago

RE: https://fosstodon.org/@jni/116287554201659198

I said digital attestations and `pylock.toml` would have helped with the litellm attack. People asked for more details, so I wrote a blog post explaining why. It also hopefully acts at motivation for people to use:

- Trusted publishing
- Digital attestations
- Lock files, and `pylock.toml` specifically

https://snarky.ca/why-pylock-toml-includes-digital-attestations/

So yes, @jni , I have a "human-readable intro" because I wrote one for you (and the other folks asking me questions on the subject). 😁

Show threadsaucoide
@brettcannon @jni what am i missing? I dont see any publisher information on `pylock.toml`, generated with any of `uv`, `pip` or `pdm`, are the tools choosing not to include it at the moment or am I doing something wrong?
Mar 26 at 11:19amWeb
Show threadJuan Nunez-Iglesias1h ago
@saucoide @brettcannon based on other conversations I'm having, it seems the tooling hasn't quite caught up with the standard…