Michael Altfield

Another theoretical solution to this problem of "how to securely authenticate an asset after download that's not signed" is an append-only, distributed log of hashes of the asset. A few...

So one solution is to store our dependencies as artifacts in a container register. Then we can also sign them using a tool like `cosign`. Our build script could safely...

Today I was working on upgrading python 3.7 to 3.12 and [updating many other dependencies](https://github.com/BusKill/buskill-app/issues/78). Rather than further baloon this repo, I went ahead and created a new repo [buskill-app-deps](https://github.com/BusKill/buskill-app-deps)...

I've since finished and closed the most-recent [fix-the-builds issue](https://github.com/BusKill/buskill-app/issues/78), which included moving all the dependencies for all 3x platform build scripts outside this repo: * https://github.com/BusKill/buskill-app/issues/78 I think we're about...

All 3x builds were successful after moving the dependencies outside this repo. * https://github.com/BusKill/buskill-app/actions/runs/10084283950 This ticket is complete.

I'm re-opening this, as it appears that (after deleting the depends above) our macos build did, in-fact break. The most-recent build prior to me deleting the depends from this repo...

ok, it looks like our build script simply references old versions of the depends; hopefully we can just bump them up ``` 2024-07-24T21:29:37.4167510Z Successfully installed pip-24.0 2024-07-24T21:29:37.4710780Z ++ pwd 2024-07-24T21:29:37.4714220Z...

I updated the build script to use the versions of setuptools and wheel that are *actually* present in the new deps repo, but I'm still getting an error about certifi...

ok, I think it is related. Here's the output from the build log of the most recent version that worked * https://github.com/BusKill/buskill-app/actions/runs/10084066193/job/27882068107 ``` 2024-07-24T21:11:51.6387960Z + /tmp/venv/bin/python3 -m pip install --ignore-installed...

oh, it looks like it actually gave-up before and reverted from `requests-2.31.0` to `requests-2.24.0`. ``` 2024-07-24T21:11:52.2525030Z Processing ./build/deps/requests-2.31.0-py3-none-any.whl (from Kivy-Garden>=0.1.4->Kivy==2.3.0) 2024-07-24T21:11:52.2643210Z INFO: pip is looking at multiple versions of requests...