Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://chaos.social/users/dvzrv/statuses/110711697322175596">David Runge (dvzrv@chaos.social)'s status on Friday, 14-Jul-2023 19:49:54 JST</a><a href="https://chaos.social/@dvzrv" title="dvzrv@chaos.social"><img src="https://gnusocial.jp/avatar/149155-48-20230714104954.webp" width="48" height="48" alt="David Runge" style="position: absolute; left: 0; top: 0;">David Runge</a></section><article><p>It seems we'll have a lot of "fun" with the <a href="https://chaos.social/tags/PyPi" rel="tag">#PyPi</a> decision to remove signatures for sdist tarballs (<a href="https://blog.pypi.org/posts/2023-05-23-removing-pgp/" rel="nofollow noreferrer">https://blog.pypi.org/posts/2023-05-23-removing-pgp/</a>) going forward.</p><p>To scream into the void: Yes, PyPi, someone was using those signatures. Distro package maintainers secured user supply chains with it!</p><p>I'm not looking forward to asking dozens of upstreams to host their signatures elsewhere (just stumbled across one case). Meanwhile <a href="https://chaos.social/tags/reproduciblebuilds" rel="tag">#reproduciblebuilds</a> is now broken for those packages.</p><p><a href="https://chaos.social/tags/ArchLinux" rel="tag">#ArchLinux</a> <a href="https://chaos.social/tags/packagerlife" rel="tag">#packagerlife</a> <a href="https://chaos.social/tags/Python" rel="tag">#Python</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1792584#notice-3517015">In conversation</a><time datetime="2023-07-14T19:49:54+09:00" title="Friday, 14-Jul-2023 19:49:54 JST">Friday, 14-Jul-2023 19:49:54 JST</time> <span>from <span><a href="https://chaos.social/@dvzrv/110711697322175596" rel="external" title="Sent from chaos.social via ActivityPub">chaos.social</a></span></span><a href="https://chaos.social/@dvzrv/110711697322175596">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: blog.pypi.org</div><h5><a href="https://blog.pypi.org/posts/2023-05-23-removing-pgp/">Removing PGP from PyPI - The Python Package Index</a></h5><div> from <span>Donald Stufft</span></div></header><div>PyPI has removed support for uploading PGP signatures with new releases.</div><footer></footer></article></li><li><article><header><div>No result found on File_thumbnail lookup.</div><h5><a href="http://forward.To/">forward.to - このウェブサイトは販売用です！ - forward リソースおよび情報</a></h5><div></div></header><div>このウェブサイトは販売用です！ forward.to は、あなたがお探しの情報の全ての最新かつ最適なソースです。一般トピックからここから検索できる内容は、forward.toが全てとなります。あなたがお探しの内容が見つかることを願っています！</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
David Runge (dvzrv@chaos.social)'s status on Friday, 14-Jul-2023 19:49:54 JST David Runge
It seems we'll have a lot of "fun" with the #PyPi decision to remove signatures for sdist tarballs (https://blog.pypi.org/posts/2023-05-23-removing-pgp/) going forward.
To scream into the void: Yes, PyPi, someone was using those signatures. Distro package maintainers secured user supply chains with it!
I'm not looking forward to asking dozens of upstreams to host their signatures elsewhere (just stumbled across one case). Meanwhile #reproduciblebuilds is now broken for those packages.
#ArchLinux #packagerlife #Python
In conversationFriday, 14-Jul-2023 19:49:54 JST from chaos.socialpermalink
Attachments
1. Domain not in remote thumbnail source whitelist: blog.pypi.org
  Removing PGP from PyPI - The Python Package Index
  from Donald Stufft
  PyPI has removed support for uploading PGP signatures with new releases.
2. No result found on File_thumbnail lookup.
  forward.to - このウェブサイトは販売用です！ - forward リソースおよび情報
  このウェブサイトは販売用です！ forward.to は、あなたがお探しの情報の全ての最新かつ最適なソースです。一般トピックからここから検索できる内容は、forward.toが全てとなります。あなたがお探しの内容が見つかることを願っています！

Public

Embed Notice

HTML Code

Corresponding Notice