Brett Cannon4d ago

RE: https://fosstodon.org/@jni/116287554201659198

I said digital attestations and `pylock.toml` would have helped with the litellm attack. People asked for more details, so I wrote a blog post explaining why. It also hopefully acts at motivation for people to use:

- Trusted publishing
- Digital attestations
- Lock files, and `pylock.toml` specifically

https://snarky.ca/why-pylock-toml-includes-digital-attestations/

So yes, @jni , I have a "human-readable intro" because I wrote one for you (and the other folks asking me questions on the subject). 😁

Show threadsaucoide3d ago
@brettcannon @jni what am i missing? I dont see any publisher information on `pylock.toml`, generated with any of `uv`, `pip` or `pdm`, are the tools choosing not to include it at the moment or am I doing something wrong?
Show threadJuan Nunez-Iglesias2d ago
@saucoide @brettcannon based on other conversations I'm having, it seems the tooling hasn't quite caught up with the standard…
Show threadBrett Cannon2d ago
@jni @saucoide I wouldn't expect pip to have it as its pylock.toml support is basically a fancy `pip freeze` and this info isn't recorded at install time. As for PDM and uv, if you verified a project on PyPI has the requisite data then they haven't added support for digital attestations.
Show threadsaucoide
@brettcannon @jni yes I was trying to replicate it with the `packaging` example, but it does looks like the tooling doesn't support it yet: https://github.com/astral-sh/uv/issues/9122
Mar 28 at 11:00amWeb