Skip to content
  • Home
  • Categories
  • Recent
  • Popular
  • World
  • Top
  • Tags
  • Users
  • Groups
  • Documentation
    • Home
    • Read API
    • Write API
    • Plugin Development
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo
v3.10.3 Latest
Buy Hosting
  1. Home
  2. Uncategorized
  3. Posted some notes on the new PyPI digital attestations feature released today, providing digital signatures that help demonstrate that the package you are downloading from PyPI was built from a specific version of the underlying code on GitHub https://...

Posted some notes on the new PyPI digital attestations feature released today, providing digital signatures that help demonstrate that the package you are downloading from PyPI was built from a specific version of the underlying code on GitHub https://...

Scheduled Pinned Locked Moved Uncategorized
3 Posts 2 Posters 2 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • simon@fedi.simonwillison.netS This user is from outside of this forum
    simon@fedi.simonwillison.netS This user is from outside of this forum
    Simon Willison
    wrote last edited by
    #1

    Posted some notes on the new PyPI digital attestations feature released today, providing digital signatures that help demonstrate that the package you are downloading from PyPI was built from a specific version of the underlying code on GitHub https://simonwillison.net/2024/Nov/14/pypi-digital-attestations/

    whynothugo@fosstodon.orgW 1 Reply Last reply
    0
    • whynothugo@fosstodon.orgW This user is from outside of this forum
      whynothugo@fosstodon.orgW This user is from outside of this forum
      Hugo 雨果
      replied to Simon Willison last edited by
      #2

      @simon I understand what this does, but I don’t understand the value of it. It provides validation that the build happened on MS’s server and that they used used a specific checkout. But if builds are not reproducible (eg: use unchecksumed external resources), this guarantees nothing. If builds are properly reproducible, what value does the attestation add?

      simon@fedi.simonwillison.netS 1 Reply Last reply
      0
      • simon@fedi.simonwillison.netS This user is from outside of this forum
        simon@fedi.simonwillison.netS This user is from outside of this forum
        Simon Willison
        replied to Hugo 雨果 last edited by
        #3

        @whynothugo I like that I can see the git commit hash that was used for the build, which means I can review the code myself

        1 Reply Last reply
        0

        Copyright © 2024 NodeBB | Contributors
        • Login
        • Don't have an account? Register
        • Login or register to search.
        Powered by NodeBB Contributors
        • First post
          Last post
        0
        • Home
        • Categories
        • Recent
        • Popular
        • World
        • Top
        • Tags
        • Users
        • Groups
        • Documentation
          • Home
          • Read API
          • Write API
          • Plugin Development