RE: https://fosstodon.org/@jni/116287554201659198

I said digital attestations and `pylock.toml` would have helped with the litellm attack. People asked for more details, so I wrote a blog post explaining why. It also hopefully acts at motivation for people to use:

- Trusted publishing
- Digital attestations
- Lock files, and `pylock.toml` specifically

https://snarky.ca/why-pylock-toml-includes-digital-attestations/

So yes, @jni , I have a "human-readable intro" because I wrote one for you (and the other folks asking me questions on the subject). 😁

RE: https://infosec.exchange/@dangoodin/116285175398594132

Notice how the compromised releases were directly uploaded. This is why `pylock.toml` includes attestation data and trusted publishing is important. If the project used trusted publishing then their the lack of attestation data could have been noticed in a diff of the lock file as it would have suddenly disappeared (which is also why `pylock.toml` was designed to be human-readable).

OpenAI is buying Astral https://openai.com/index/openai-to-acquire-astral/

1. I'm happy Astral got their exit (which we all knew was the end goal)
2. I'm glad no one will accuse me of trying to kill the company anymore by working on standards or saying there are other workflow tools
3. I'm taking a wait-and-see view (e.g. Astral already said more AI is coming to their tools https://blog.pamelafox.org/2026/03/learnings-from-pyai-conference.html#:~:text=Astral%20is%20also%20re%2Dprioritizing%20based%20off%20the%20move%20towards%20100%25%20agentic%20coding%2C%20with%20less%20emphasis%20on%20tools%20that%20would%20be%20used%20solely%20by%20a%20developer%20who%20is%20manually%20typing.)
4. I'm going to continue to work on standards for a baseline workflow experience to make my kid happy someday