Facundo Tuesca
Facundo Tuesca
> once we support verifying URLs when attestations are uploaded ~I thought the URL verification would always be via Trusted Publisher, how do the attestations fit here?~ From a conversation:...
@di For verifying URLs of existing releases (when the user uploads files that are not the first file of that release), do we want to verify the URLs using the...
I pushed a commit for verifying also URLs of existing releases. Now, if a file is uploaded for an existing release, we update the verified status of the release's URLs...
> This changeset appears to have introduced some warnings in the test suite: Looking into it now
> This changeset appears to have introduced some warnings in the test suite: PR open to fix it here: https://github.com/pypi/warehouse/pull/16528
> @woodruffw any chance you could resurrect the Twine API effort? As an intermediate solution, would having Twine exit with different status codes depending on the error be possible/desirable? We...
The [fix](https://github.com/trailofbits/pypi-attestations/pull/127) for this has been merged and included in a new release of `pypi-attestations`: [v0.0.27](https://github.com/trailofbits/pypi-attestations/releases/tag/v0.0.27) I've opened a PR in `warehouse` to bump the version: https://github.com/pypi/warehouse/pull/18221
> So yeah, unless I'm missing something, we don't actually need the alias. Is there any workflow where a user would want to generate a sigstore bundle using the predicate...
draft PR in `conda/schemas` opened here: https://github.com/conda/schemas/pull/76
I created a draft PR for the implementation here: https://github.com/pypa/pip/pull/12985 (note that it only covers the in-process plugins loaded by entrypoint, not the external `pip ext` commands)