Why pylock.toml includes digital attestations

snarky.ca

A Python project got hacked where malicious releases were directly uploaded to PyPI. I said on Mastodon that had the project used trusted publishing with digital attestations, then people using a pylock.toml file would have noticed something odd was going on thanks to the lock file including attestation data.

2 pages link to this URL

Switching all of my Python packages to PyPI trusted publishing

406.ch Mastodon Apr 8, 2026

0 inbound links en

Seth Michael Larson

sethmlarson.dev Seth Michael Larson May 27, 2024

Python, open source, and the internet

1 inbound link article en python pypi open source maintainer urllib3 requests http networking security oss