Dustin Ingram
Dustin Ingram
I'm trying to understand the motivation / usecase here: is this just to add an additional search filter?
In that case, I guess my follow up question is: what kind of expectations are we setting around whether the metadata for a generic or ecosystem-specific package type is "correct"...
> Yeah, that's a great question. I think it's entirely out-of-scope for Rekor to do such validation, because we'd have to teach it about each language ecosystem, and I'd like...
> Add some best attempts, i.e. if flask is a dependency and main.py, app.py, or web.py exists, auto-set the entrypoint This makes a lot of assumptions and could be really...
> What's the harm in starting the convention here? Estimate the most common name (and port, etc), make that the default, and then liberally suggest Procfile so users don't think...
Seems like `.gcloudignore` would be the appropriate tool to use here. I also feel like this is overkill for just checking syntax of the user's function, but I don't have...
I'm in favor of this! My $0.02 based on trying to do this and realizing the feature didn't exist: I expected `python -m build dist/some-tarball.tar.gz` to just work. This would...
> Should `python -m build dist/some-tarball.tar.gz` build both an sdist and a wheel or just the wheel? I would expect it to work by unzipping/untarring the file into some temporary...
We should also document how reverts and contested advisories should work within this repo. PyPI only gets it's data from OSV, but OSV may be pulling from other data sources...
I'm in favor of `flit`'s continued lack of support for `setuptools_scm`-style metadata, mainly for this reason that @takluyver mentioned: > any way that I would address this means... a difference...