pypi-publish - GitHub Marketplace

Attestations: A new generation of signatures on PyPI

The Trail of Bits Blog William Woodruff Nov 14, 2024

For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740. These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring […]

1 inbound link article en open-sourcesupply-chainecosystem-securityengineering-practice open-sourcesupply-chainecosystem-securityengineering-practice

The Basics of Python Packaging in Early 2023

DrivenData Labs Jay Qi Mar 9, 2023

Explaining the basic concepts and best practices for creating Python packages in early 2023 using pyproject.toml build standards.

1 inbound link article en blog toolsopen source

Attestations: A new generation of signatures on PyPI

The Trail of Bits Blog William Woodruff Nov 14, 2024

For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740. These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring […]

3 inbound links article en open-sourcesupply-chainecosystem-securityengineering-practice open-sourcesupply-chainecosystem-securityengineering-practice

The Review Review

xahteiwi.eu Florian Haas; Author; Florian-Haas Html Jan 29, 2022

Musings on source code management, code review, testing, deployment, and collaboration culture.

0 inbound links article en blog WorkCIGerritGitLabGitHubZuul CC BY-SA 4.0

Introducing 'Trusted Publishers' - The Python Package Index Blog

blog.pypi.org Apr 20, 2023

Announcing a new, more secure way to publish to PyPI

7 inbound links website en