|
|
|
|
|
|
by westurner
604 days ago
|
|
|
W3C DIDs are verifiable e.g with blockchain-certificates/cert-verifier-js and blockchain-certificates/cert-verifier (Python). If PyPI is not a keyserver, if it only hosts the attestations and checks checksums, can it fully solve for [Python] software supply chain security? A table comparing the various known solutions might be good; including md5, sha3, GPG .ASC signatures, TUF, Uptane, Sigstore (Cosign + Rekor), PyPI w/w/o attestations, VC Verifiable Credentials, and Blockcerts (Verifiable Credentials (DIDs)) |
|
|