Brett Cannon3d ago

RE: https://fosstodon.org/@jni/116287554201659198

I said digital attestations and `pylock.toml` would have helped with the litellm attack. People asked for more details, so I wrote a blog post explaining why. It also hopefully acts at motivation for people to use:

- Trusted publishing
- Digital attestations
- Lock files, and `pylock.toml` specifically

https://snarky.ca/why-pylock-toml-includes-digital-attestations/

So yes, @jni , I have a "human-readable intro" because I wrote one for you (and the other folks asking me questions on the subject). 😁

Show threadTimo Zimmermann3d ago

@brettcannon if I understand the workflow and requirements correctly I’d need to move CI and signing to one of the few blessed systems such as Microsoft’s falling apart slop dumpster fire.

If this is correct I honestly hope it causes the opposite reaction and people start looking into / working on alternatives instead of using the system as is.

Show threadBrett Cannon1d ago

@fallenhitokiri First, I work at MS; I don't expect you to necessarily agree with the trajectory of the company but it did pay for that blog post, so please keep the insults civil.

Two, you can work with whomever you have hosting your code to become trusted enough to use trusted publishing. Or you can work to make a system where trusted publishing isn't a prerequisite.

Show threadTimo Zimmermann

@brettcannon per the thread there doesn’t seem to be a way to establish any new providers outside of the blessed ones when 7 years is considered “too young”. The technical / operational concerns are valid IMHO.

The maturity argument also falls very short when you objectively look at the trajectory of a blessed provider with outages piling up.
The example with SourceForge in the discussion is a perfect example for that and also why blessed providers are not the way to go.

Mar 28 at 6:00amWeb
Show threadBrett Cannon23h ago
@fallenhitokiri trusted != uptime; it just means PyPI expects that security is at a certain level around identity
Show threadTimo Zimmermann2h ago

@brettcannon sorry, I wasn't very clear with my comment. I was referring to this comment https://discuss.python.org/t/new-oidc-providers-for-trusted-publishing/106334/5

> [...] 7 years isn’t a large amount of time to be able to look back on [...]

New OIDC providers for Trusted Publishing

Not speaking authoritatively here, just my personal opinion, though I am a PyPI administrator so I’ve got some sense of what the PyPI admins might think 😉 . To be clear though, this is a quick look and not any sort of official Yes or No. I believe the key requirement beyond the technical, is the reliability and security of a given OIDC provider. These providers effectively have the ability to release as any project, and thus their ability to secure and reliably operate the software and inf...

Discussions on Python.org