Brett Cannon3d ago

RE: https://fosstodon.org/@jni/116287554201659198

I said digital attestations and `pylock.toml` would have helped with the litellm attack. People asked for more details, so I wrote a blog post explaining why. It also hopefully acts at motivation for people to use:

- Trusted publishing
- Digital attestations
- Lock files, and `pylock.toml` specifically

https://snarky.ca/why-pylock-toml-includes-digital-attestations/

So yes, @jni , I have a "human-readable intro" because I wrote one for you (and the other folks asking me questions on the subject). 😁

Show threadTimo Zimmermann3d ago

@brettcannon if I understand the workflow and requirements correctly I’d need to move CI and signing to one of the few blessed systems such as Microsoft’s falling apart slop dumpster fire.

If this is correct I honestly hope it causes the opposite reaction and people start looking into / working on alternatives instead of using the system as is.

Show threadBrett Cannon1d ago

@fallenhitokiri First, I work at MS; I don't expect you to necessarily agree with the trajectory of the company but it did pay for that blog post, so please keep the insults civil.

Two, you can work with whomever you have hosting your code to become trusted enough to use trusted publishing. Or you can work to make a system where trusted publishing isn't a prerequisite.

Show threadTimo Zimmermann

@brettcannon Based on the discuss. thread I agree that a system not requiring trusted publishing is what we should be working towards to.

With the arguments in the thread it’s just hard to see how. Many of the properties of a “trusted” way of doing things discussed are inherently incompatible with any new development.

Mar 28 at 6:04amWeb