Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: support validating more claims with: pypi-attestations verify pypi #85

Open
Lucas-C opened this issue Jan 13, 2025 · 2 comments
Open

Feature request: support validating more claims with: pypi-attestations verify pypi #85

Lucas-C opened this issue Jan 13, 2025 · 2 comments

Comments

@Lucas-C
Copy link

Lucas-C commented Jan 13, 2025

Following the introduction of pypi-attestations verify pypi in #82, I would like to suggest to introduce new parameters to validate more claims, like this:

pypi-attestations verify pypi $url --repository https://github.com/py-pdf/fpdf2 --commit b9cfbb6d8ca1eb034e826fd358194e899a1daf28

What do you think about this feature proposal?
@Lucas-C Lucas-C mentioned this issue Jan 13, 2025
Closed
@woodruffw
Copy link
Member

Hey @Lucas-C, thanks for the request and sorry for the delay here!

Out of curiosity: how are you currently integrating this package? The CLI is mostly intended for experimentation, and we mostly encourage end users to integrate it directly via the public Python APIs. I think we're not opposed per se to extending the CLI, but we want to make sure that users aren't baking themselves into assumptions around the CLI's stability or availability when the API is intended as the main stabilization point 🙂

@Lucas-C
Copy link
Author

Lucas-C commented Mar 14, 2025
edited
Loading

Out of curiosity: how are you currently integrating this package? The CLI is mostly intended for experimentation, and we mostly encourage end users to integrate it directly via the public Python APIs. I think we're not opposed per se to extending the CLI, but we want to make sure that users aren't baking themselves into assumptions around the CLI's stability or availability when the API is intended as the main stabilization point 🙂

Hi @@woodruffw 👋

As a developper and a FLOSS project maintainer, I feel concerned about security, and especially about supply chain attacks.

I wanted to provide fpdf2 end-users some information & tools on how to verify fpdf2 packages provenance.
Following our discussions throughout GitHub threads I initiated this documentation section:
https://py-pdf.github.io/fpdf2/#verifying-provenance

I was thinking in particular about situations in enterprises where packages are not always downloaded directly from Pypi, but from some self-hosted registry (JFrog Artifactory, Sonatype Nexus, etc.), and developpers may want to check their integrity to ensure it was not compromised.

That's pretty much it 🙂

If pypi-attestations is not intended for that, and/or you do not think that it should be directly presented to fpdf2 users in this way, I'd be happy to know your views & recommendations about this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Lucas-C @woodruffw