Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://fosstodon.org/users/sethmlarson/statuses/113964158502929758">Seth Larson (sethmlarson@fosstodon.org)'s status on Saturday, 08-Feb-2025 08:19:04 JST</a><a href="https://fosstodon.org/@sethmlarson" title="sethmlarson@fosstodon.org"><img src="https://gnusocial.jp/avatar/203009-48-20231021140729.webp" width="48" height="48" alt="Seth Larson" style="position: absolute; left: 0; top: 0;">Seth Larson</a></section><article><p>/Everyone/ is trying their best, there's always more work to do than there is time for.</p><p>I received this email reminder after publishing the latest release of "Truststore" about hardening our publish workflow. This is one of the improvements that PyPI implemented after the Ultralytics supply-chain attack last year to guide folks towards more secure publishing workflows (<a href="https://blog.pypi.org/posts/2024-12-11-ultralytics-attack-analysis/" rel="nofollow noreferrer">https://blog.pypi.org/posts/2024-12-11-ultralytics-attack-analysis/</a>).</p><p><a href="https://fosstodon.org/tags/python" rel="tag">#python</a> <a href="https://fosstodon.org/tags/pypi" rel="tag">#pypi</a> <a href="https://fosstodon.org/tags/oss" rel="tag">#oss</a> <a href="https://fosstodon.org/tags/opensource" rel="tag">#opensource</a> <a href="https://fosstodon.org/tags/security" rel="tag">#security</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4527810#notice-8865831">In conversation</a><time datetime="2025-02-08T08:19:04+09:00" title="Saturday, 08-Feb-2025 08:19:04 JST">about 5 months ago</time> <span>from <span><a href="https://fosstodon.org/@sethmlarson/113964158502929758" rel="external" title="Sent from fosstodon.org via ActivityPub">fosstodon.org</a></span></span><a href="https://fosstodon.org/@sethmlarson/113964158502929758">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4100052">Email from PyPI reading:" A Trusted Publisher for project truststore was just used from a CI/CD job configured with a GitHub environment. The environment used was: Deploy.Since the Trusted Publisher is configured to allow any environment, for security reasons we recommend constraining it to only one.If you are an owner of this project, you can automatically constrain this Trusted Publisher to 'Deploy' by following this link: constrain publisher.Alternatively, you can do this manually by going to the project's publishing settings, deleting the existing Trusted Publisher and creating a new one with the environment set to 'Deploy'."</a></label><br><a href="https://cdn.fosstodon.org/media_attachments/files/113/964/136/120/094/229/original/1e2d242ccb646a2c.png" rel="external">https://cdn.fosstodon.org/media_attachments/files/113/964/136/120/094/229/original/1e2d242ccb646a2c.png</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4100053">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Seth Larson (sethmlarson@fosstodon.org)'s status on Saturday, 08-Feb-2025 08:19:04 JST Seth Larson
/Everyone/ is trying their best, there's always more work to do than there is time for.
I received this email reminder after publishing the latest release of "Truststore" about hardening our publish workflow. This is one of the improvements that PyPI implemented after the Ultralytics supply-chain attack last year to guide folks towards more secure publishing workflows (https://blog.pypi.org/posts/2024-12-11-ultralytics-attack-analysis/).
#python #pypi #oss #opensource #security
In conversationabout 5 months ago from fosstodon.orgpermalink
Attachments
1. Email from PyPI reading: " A Trusted Publisher for project truststore was just used from a CI/CD job configured with a GitHub environment. The environment used was: Deploy. Since the Trusted Publisher is configured to allow any environment, for security reasons we recommend constraining it to only one. If you are an owner of this project, you can automatically constrain this Trusted Publisher to 'Deploy' by following this link: constrain publisher. Alternatively, you can do this manually by going to the project's publishing settings, deleting the existing Trusted Publisher and creating a new one with the environment set to 'Deploy'."
  https://cdn.fosstodon.org/media_attachments/files/113/964/136/120/094/229/original/1e2d242ccb646a2c.png
2. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice