Facundo Tuesca
Facundo Tuesca
Looking a bit into this, here's two ways we could implement it: 1. Move the insecure hashing algorithms to the `decrepit` namespace (eventually, using deprecation warnings first). This way, using...
> lint done!
@gizmoguy Would you be open to a PR that fixes this issue?
@woodruffw What behavior do we want when uploading attestations to a file already in PyPI? Currently, the behavior for duplicate files is either stop the upload process and return OK...
> Having a File OIDCPublisher relationship means that OIDCPublishers are never deleted once one or more files are published against them, even if no Project has that OIDCPublisher registered as...
After further discussion with @woodruffw, we think that it might be better to verify a release's URLs once (at the time the release is created, during the first file's upload),...
> (One thing I just thought of -- `make inittuf` might use this. Can you see if that breaks with these changes?) Ah yeah indeed, `make inittuf` now fails due...
> Hi @woodruffw and @facutuesca, now the rstuf supports python-tuf 4.0.0 @kairoaraujo @woodruffw The newly released `repository-service-tuf==0.12.0b1` has another conflict, this time with `securesystemslib`: ``` repository-service-tuf 0.12.0b1 has requirement securesystemslib[crypto]=0.31.0,...
Fixed by https://github.com/pypi/warehouse/pull/16098
PR open here: https://github.com/pypi/warehouse/pull/15757