|
|
|
|
|
|
by SethMLarson
990 days ago
|
|
|
Great question! PyPI already supports Trusted Publishers [1], which gets you most of the benefits of SLSA build provenance (provable link between artifacts and a public software repository). Implementing Trusted Publishers is the recommended first step for ecosystems looking to implement build provenance [2]. [1] https://docs.pypi.org/trusted-publishers/ [2] https://github.com/ossf/wg-securing-software-https://docs.py... I don't think there's a big effort /right now/ to implement complete SLSA build provenance for PyPI and expose it for users to verify. |
|
|