• PyPI now supports digital attestations

    From LWN.net@1337:1/100 to All on Thu Nov 14 21:30:05 2024
    PyPI now supports digital attestations

    Date:
    Thu, 14 Nov 2024 21:22:12 +0000

    Description:
    The Python Package Index (PyPI) has announced that it has finalized support for PEP 740 ("Index support
    for digital attestations"). Trail of Bits , which performed
    much of the development work for the implementation, has an in-depth
    blog post about the work and its adoption, as well as what is left
    undone: One thing is notably missing from all of this work: downstream verification . [...] This isn't an acceptable end state (cryptographic attestations have
    defensive properties only insofar as they're actually
    verified ), so we're looking into ways to bring
    verification to individual installing clients. In particular, we're
    currently working on a plugin architecture
    for pip that will enable users to load
    verification logic directly into their pip install flows.

    ======================================================================
    Link to news story:
    https://lwn.net/Articles/998215/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)