PyPI now supports digital attestations

by
jzb
from LWN.net on (#6S7T7)

The Python Package Index (PyPI) has announcedthat it has finalized support for PEP 740 ("Index supportfor digital attestations"). Trail of Bits, which performedmuch of the development work for the implementation, has an in-depthblog post about the work and its adoption, as well as what is leftundone:

One thing is notably missing from all of this work:downstream verification. [...]

This isn't an acceptable end state (cryptographic attestations havedefensive properties only insofar as they're actuallyverified), so we're looking into ways to bringverification to individual installing clients. In particular, we'recurrently working on a plugin architecturefor pip that will enable users to loadverification logic directly into their pip installflows.

External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments