Dustin Ingram
Dustin Ingram
Thanks @westonsteimel. Since it seems like advisories may originate from GHSA first, which likely would include the version ranges, that would be ideal.
@oliverchang I'm curious if there is precedent for this in other advisory dbs.
Do we need some mechanism for "this entire project is malicious, regardless of version"?
Why not?
I'm not totally sure what the threshold is for calling these issues "fixed" so I default to leaving them open. In this case, we could add links to the talks...
I think providing non-OIDC email verification for arbitrary domains in general may be a bad idea, and providing it as an alternative to OIDC for package managers like RubyGems or...
> The first is that it we would require rubygems.org to operate and secure an OAuth/OIDC infrastructure, which is a significant burden and risk in itself. The major IdPs are...
Well, you @-mentioned me, so now you get a reply. 🙂 My two cents: This seems like it's just shifting complexity from artifact providers to whoever would run a neutral...
> Any thoughts or comments? Anything I got wrong or am misunderstanding? I think this is fairly accurate. I'd say you should think of `build` as the canonical generic build...
> I think build is definitely the thing we should do first. I think you're right that a decent number of folks use pyproject.toml but I didn't see many in...