Seth Michael Larson
Seth Michael Larson
Backports have been created.
@danigm Thanks! The new test is failing on Windows, can you take a peek?
@native-api I'm aware you do checksum verification, I am suggesting adding verification of those checksums against the expected release manager identity using Sigstore in CI: ```sh $ wget https://www.python.org/ftp/python/3.13.0/Python-3.13.0.tar.xz.sigstore $...
Hello, I've discovered a new method you may be interested in after talking more to Sigstore folks: [Cosign](https://github.com/sigstore/cosign) supports offline verification and it's a pre-compiled binary. Please take a look:...
> So we'll have to somehow track this "release manager identity"? Because I surmise it's going to change with some frequency. Indeed, but this changes at the same rate as...
@david-a-wheeler > Is this functionality critical to PyPI somehow? This property is used because the ABI of CPython, architectures, and platforms (known in Python-land as "tags") aren't known in-advance and...
It doesn't appear to be using 2025 data. @oliverchang was https://github.com/pypa/advisory-database/pull/210 meant to be a temporary solution that never got removed? There's clearly a 2025 data feed (I was able...
I haven't dug in whether that's a safe way to do things. This seems like a useful feature though, being able to configure the connection level window separate from initial...
We have automation that runs [hourly](https://github.com/pypa/advisory-database/actions/runs/6483769746/workflow) but unfortunately requires a few things to go right for the import to happen automatically. However, we only pull right now from the CVE...
Basically we're bounded by the CVE database, so until a CVE record is published we can't scrape it. In this case GHSA was much faster. The record you're mentioning is...