Why pylock.toml includes digital attestations
Including digital attestations in pylock.toml allows developers to verify the origin and integrity of dependencies, not just their versions and hashes, improving protection against supply chain attacks. The broader point is that modern package security requires provenance, not just reproducibility, so lock files are evolving from “what to install” into “what can be trusted to install.”
https://snarky.ca/why-pylock-toml-includes-digital-attestations/
Including digital attestations in pylock.toml allows developers to verify the origin and integrity of dependencies, not just their versions and hashes, improving protection against supply chain attacks. The broader point is that modern package security requires provenance, not just reproducibility, so lock files are evolving from “what to install” into “what can be trusted to install.”
https://snarky.ca/why-pylock-toml-includes-digital-attestations/
Tall, Snarky Canadian
Why pylock.toml includes digital attestations
A Python project got hacked where malicious releases were directly uploaded to PyPI. I said on Mastodon that had the project used trusted publishing with digital attestations, then people using a pylock.toml file would have noticed something odd was going…