Open woodruffw opened 1 day ago
- Support for other attestation types. Right now the "PyPI Publish" and SLSA types are supported, although the SLSA type is currently gated off since nothing is uploading it yet. The latter should be enabled.
Is it possible to do this in a job following pypi-upload?
- Support for other attestation types. Right now the "PyPI Publish" and SLSA types are supported, although the SLSA type is currently gated off since nothing is uploading it yet. The latter should be enabled.
Is it possible to do this in a job following pypi-upload?
Not at the moment -- in principle we could add a separate upload endpoint/codepath for uploading attestations to an already-uploaded release, but that doesn't exist yet. For the time being, the assumption is that one or more attestations get uploaded with the release itself, so a user who wants to upload a SLSA attestation should put it in their dist/
alongside their publish attestation.
In other words, a dist/
structure like:
dist/
foo-1.2.3.tar.gz
foo-1.2.3.tar.gz.publish.attestation
foo-1.2.3.tar.gz.slsa.attestation
(The interstitial .publish.
and .slsa
aren't semantically meaningful -- twine
just looks for dist.*.attestation
).
The main roadmap for PEP 740 is in https://github.com/pypi/warehouse/issues/15871; this tracks related items that aren't blockers, but need to be thought about more and/or addressed in the medium-to-long term.
pypi
andtestpypi
respectively). We have a strong source of timeliness in the form of signed time, so we could add these and then require them in new attestations after a period of adoption.