|
|
|
|
|
|
by woodruffw
588 days ago
|
|
|
No, I don't. There's no plan, and there will be no plan, to make installers reject packages that don't have attestations. Doing so is technically and socially impossible, and undesirable to boot. The strongest possible version of this is that projects that do provide attestations will be checked by installers for changes in identity (or regression in attestations). In other words, this feature will only affect packages that opt to provide attestations. And even that is uncertain, since Python packaging is devolved and neither I (nor anybody else involved in this effort) has literally any ability to force installers to do anything. |
|
|