I noticed that the process for releasing new unMessage versions would not be too easy once we pinned requirements to their versions and hashes based on what we discussed in #35. On every release, the latest versions for all requirements would have to be updated, as well as their hashes.
An idea I had to automate this would attempt to pin requirements to signing keys instead of hashes:
Create a directory in the repo containing all signing keys we trust
Create a script that would be run on every release
Create a keyring and populate it with those signing keys
Retrieve from PyPI's API the latest version of all requirements in the requirements file as well as their signatures
Verify the signatures and update the version numbers and hashes in the file
The signing keys would have to be retrieved manually and trusted via WoT or TOFU. For packages that are not signed, TOFU the hashes but stop updating them.
Until someone properly fixes this problem "in the right side", this solution can be done "from our side" and could even be used by other developers.
I noticed that the process for releasing new unMessage versions would not be too easy once we pinned requirements to their versions and hashes based on what we discussed in #35. On every release, the latest versions for all requirements would have to be updated, as well as their hashes.
An idea I had to automate this would attempt to pin requirements to signing keys instead of hashes:
The signing keys would have to be retrieved manually and trusted via WoT or TOFU. For packages that are not signed, TOFU the hashes but stop updating them.
Until someone properly fixes this problem "in the right side", this solution can be done "from our side" and could even be used by other developers.