Brett Cannon3d ago

RE: https://fosstodon.org/@jni/116287554201659198

I said digital attestations and `pylock.toml` would have helped with the litellm attack. People asked for more details, so I wrote a blog post explaining why. It also hopefully acts at motivation for people to use:

- Trusted publishing
- Digital attestations
- Lock files, and `pylock.toml` specifically

https://snarky.ca/why-pylock-toml-includes-digital-attestations/

So yes, @jni , I have a "human-readable intro" because I wrote one for you (and the other folks asking me questions on the subject). 😁

Show threadTimo Zimmermann3d ago

@brettcannon if I understand the workflow and requirements correctly I’d need to move CI and signing to one of the few blessed systems such as Microsoft’s falling apart slop dumpster fire.

If this is correct I honestly hope it causes the opposite reaction and people start looking into / working on alternatives instead of using the system as is.

Show threadBrett Cannon

@fallenhitokiri First, I work at MS; I don't expect you to necessarily agree with the trajectory of the company but it did pay for that blog post, so please keep the insults civil.

Two, you can work with whomever you have hosting your code to become trusted enough to use trusted publishing. Or you can work to make a system where trusted publishing isn't a prerequisite.

Mar 28 at 2:38amMastodon for Android
Show threadBrett Cannon1d ago
@fallenhitokiri as well, check out disulciss.python.org where there was a recent discussion as to why Codeberg isn't a trusted publisher yet and what it takes.
Show threadTimo Zimmermann1d ago

@brettcannon per the thread there doesn’t seem to be a way to establish any new providers outside of the blessed ones when 7 years is considered “too young”. The technical / operational concerns are valid IMHO.

The maturity argument also falls very short when you objectively look at the trajectory of a blessed provider with outages piling up.
The example with SourceForge in the discussion is a perfect example for that and also why blessed providers are not the way to go.

Show threadBrett Cannon1d ago
@fallenhitokiri trusted != uptime; it just means PyPI expects that security is at a certain level around identity
Show threadTimo Zimmermann5h ago

@brettcannon sorry, I wasn't very clear with my comment. I was referring to this comment https://discuss.python.org/t/new-oidc-providers-for-trusted-publishing/106334/5

> [...] 7 years isn’t a large amount of time to be able to look back on [...]

New OIDC providers for Trusted Publishing

Not speaking authoritatively here, just my personal opinion, though I am a PyPI administrator so I’ve got some sense of what the PyPI admins might think 😉 . To be clear though, this is a quick look and not any sort of official Yes or No. I believe the key requirement beyond the technical, is the reliability and security of a given OIDC provider. These providers effectively have the ability to release as any project, and thus their ability to secure and reliably operate the software and inf...

Discussions on Python.org
Show threadTimo Zimmermann1d ago

@brettcannon Based on the discuss. thread I agree that a system not requiring trusted publishing is what we should be working towards to.

With the arguments in the thread it’s just hard to see how. Many of the properties of a “trusted” way of doing things discussed are inherently incompatible with any new development.

Show threadTimo Zimmermann1d ago

@brettcannon also sorry for the less civil part of the comment.

I didn’t know you are at MS and that the blog post was sponsored / written as part of your job, I usually try to be more factual when engaging with content like this.

Show threadBrett Cannon1d ago
@fallenhitokiri not sponsored from a "brought to you by MS" perspective (still my personal opinion), just done on work time