Donald Stufft
Donald Stufft
I think it's still a reasonable ask? trusted publishing reduces the chances that a key can get leaked, and the length of time that a key is valid for, but...
There is now [PEP 694: Upload 2.0 API for Python Package Repositories](https://peps.python.org/pep-0694/), which has discussions on [discuss.python.org](https://discuss.python.org/t/pep-694-upload-2-0-api-for-python-package-repositories/16879) which is relevant to this issue.
I've been thinking about this again, so I looked at exactly what we're storing per `Project`, `Release`, and `File` in terms of metadata. Currently our metadata looks like: - **Project:**...
_WARNING: I've done a fair amount of thinking on this, and in an effort to get that information out of my head I'm just going to brain dump on this...
If this is reading the HTML on Warehouse, I'm pretty sure we surface the dedicated links for home page and download URLs in the metadata as a Project URL named...
Note: I opened https://github.com/pypi/warehouse/issues/14717 to discuss a change I'm planning to make that affects this PR.
I guess I should also mention, once I have this PR in a state that I'm happy with as an outcome, I'll probably try and break this up into smaller...
Blocked on https://github.com/pypa/packaging/issues/733
Also blocked on https://github.com/pypa/packaging/pull/736.
Note: I'm thinking we may want to use integers for permissions here, and an explicit registry of permission integer which will also allow us to limit which permissions are even...