Incorporate PEP 740 - Githubissues

astral-sh / uv

An extremely fast Python package and project manager, written in Rust.

https://docs.astral.sh/uv

Apache License 2.0

27.56k stars 793 forks source link

Incorporate PEP 740 #9122

Open alex opened 1 week ago

alex commented 1 week ago

These are now available on PyPI: https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/

Suggestions for ways uv could incorporate these:

When adding a package to uv.lock, include the identity of the publisher in the CLI output
When upgrading a package in uv.lock, display (as a warning or error) the identity if it changes, or if it goes from identity->no identity
Some sort of configuration to allow pinning packages to a given identity (and erroring if they don't come from that)

Ravencentric commented 1 week ago

gh-action-pypi-publish now produces and publishes PEP 740 digital attestations to PyPI by default. Would be nice if uv publish could do the same so that it can be a full replacement for the action.