Brett Cannon1d ago

RE: https://fosstodon.org/@jni/116287554201659198

I said digital attestations and `pylock.toml` would have helped with the litellm attack. People asked for more details, so I wrote a blog post explaining why. It also hopefully acts at motivation for people to use:

- Trusted publishing
- Digital attestations
- Lock files, and `pylock.toml` specifically

https://snarky.ca/why-pylock-toml-includes-digital-attestations/

So yes, @jni , I have a "human-readable intro" because I wrote one for you (and the other folks asking me questions on the subject). 😁

Show threadHugo van Kemenade1d ago

@brettcannon Thanks for this writeup!

"What can you do as a person if you don't have code to check that things line up (which isn't a lot of code; the lock file should have the index server for the package, so you follow the index server API to get the digital attestation for each file and compare)?"

Let's build this into common tooling! Directly into installers like pip and uv? And pip/uv audit?
#Python #security

Show threadBrian Koopman
@hugovk @brettcannon I had the same thought when reading this (not being familiar with pylock.toml) -- "why doesn't pip do this?"
Mar 26 at 11:24amWeb