pip icon indicating copy to clipboard operation
pip copied to clipboard

Published 20 hours ago verified publisher icon pypa

Implement PEP 708

Open cofiem opened this issue 1 year ago • 2 comments

Implement PEP 708 - "Extending the Repository API to Mitigate Dependency Confusion Attacks".

Allows pip to use Repository "Tracks" Metadata and "Alternate Locations" Metadata.

Releates to #11784

cofiem avatar Jun 30 '24 10:06 cofiem

A simple beginning, to check that my understanding is reasonable.

I plan, but do not promise, to continue working on this as I am able.

cofiem avatar Jun 30 '24 10:06 cofiem

FYI, you can't use modern typing in Pip while Pip still supports Python 3.8, e.g. set[str] needs to be from typing import Set; Set[str]

notatallshaw avatar Aug 16 '24 17:08 notatallshaw

I'm no longer able to work on this PR. Someone else is welcome to take it over, or it can be closed.

cofiem avatar Jan 17 '25 00:01 cofiem

Thanks @cofiem for letting us know, I will relay this back to the discussion community to see if someone else is sufficiently motivated to impelemt this,

notatallshaw avatar Jan 17 '25 15:01 notatallshaw

Thanks @cofiem - I'll be honest, I hadn't realised that PyPI had implemented PEP 708 (thanks for your work doing that as well!) so I assumed this was relatively low priority. That's my mistake, for which I apologise. Hopefully someone else can pick this up and build on the work you've done.

pfmoore avatar Jan 17 '25 16:01 pfmoore

Hi @cofiem please don't close this PR I believe I maybe interested in helping to land this PR.

atalman avatar Mar 14 '25 20:03 atalman

please don't close this PR I believe I maybe interested in helping to land this PR.

You're welcome to open a new PR with existing and/or new commits.

notatallshaw avatar Mar 14 '25 21:03 notatallshaw