Luke Hinds
Luke Hinds
@sigmavirus24 / @ericwb I think I have reviewed most of the points now, fancy taking a second sweep?
sorry for late action, changes accepted @ericwb
I am sorry, I just noticed this afterwards https://github.com/ossf/package-feeds/issues/386 Happy to move the conversation there if better,
> I'm keen for a bit more clarity around error handling, retries, etc too. That makes sense. We will make sure those are all covered off, would it work for...
If signing is present it would be good to capture the signature and the pub key used (with the assumption they signed the listed digest with the aforementioned).
> An attacker (e.g. a starjacker) could still publish from one repository via trusted publishing and say the project is from another repo. I can't confess to have read the...
Thanks for the info @dl. I might not have been clear enough here with my thinking, my suggestion is when we are 'verifying' it in https://github.com/pypi/warehouse/issues/14727 , we also expose...
I love the new formatting @gregfurman !
we be cool to add shipwright to sigstore/friends!