poetry icon indicating copy to clipboard operation
poetry copied to clipboard
verified publisher icon python-poetry

Integrate SLSA into poetry

Open fretchen opened this issue 1 year ago • 0 comments

Issue Kind

Brand new capability

Description

It would seem that SLSA is a framework to make it safer to work with open source packages.

Now it would also seem to have an integration with releases on github:

https://sethmlarson.dev/python-and-slsa

However, the release procedure of poetry is quite nice and it would be nice to integrate this into the publish procedure. So based on this discussion I open an issue on it.

Impact

It would make it more direct to secure packages that are published with poetry through the slsa framework. This would make it easier to verify that the package stems indeed from the place that was intended.

Workarounds

Right now, it would seem that the main path is to publish directly via github and then you can directly use the github action.

fretchen avatar Feb 29 '24 06:02 fretchen