|
|
|
|
|
|
by aragilar
90 days ago
|
|
|
I'm not sure how someone is supposed to use attestations if PyPI refuses to support the forge they use? I'm not sure how this prevents a package getting maliciously uploaded via Github Actions? To me, this is going to lead to another bincode incident, because it conflates trust in the maintainer with trust in the platform. |
|
|