Brett CannonMar 26

RE: https://fosstodon.org/@jni/116287554201659198

I said digital attestations and `pylock.toml` would have helped with the litellm attack. People asked for more details, so I wrote a blog post explaining why. It also hopefully acts at motivation for people to use:

- Trusted publishing
- Digital attestations
- Lock files, and `pylock.toml` specifically

https://snarky.ca/why-pylock-toml-includes-digital-attestations/

So yes, @jni , I have a "human-readable intro" because I wrote one for you (and the other folks asking me questions on the subject). 😁

Show threadHugo van KemenadeMar 26

@brettcannon Thanks for this writeup!

"What can you do as a person if you don't have code to check that things line up (which isn't a lot of code; the lock file should have the index server for the package, so you follow the index server API to get the digital attestation for each file and compare)?"

Let's build this into common tooling! Directly into installers like pip and uv? And pip/uv audit?
#Python #security

Show threadBrian KoopmanMar 26
@hugovk @brettcannon I had the same thought when reading this (not being familiar with pylock.toml) -- "why doesn't pip do this?"
Show threadBrett Cannon
@brian @hugovk pip doesn't support installing from a lock file yet, so there's nothing for it to check ATM. And I think it makes sense to work out some common library that does the best practices here, it's just the usual questions of who and where?
Mar 28 at 2:40amMastodon for Android