gaborbernat's comments

Practical guide to Python supply chain security covering the full stack: dependency pinning with hashes, vulnerability scanning in CI, SBOMs, Trusted Publishing with OIDC, package attestations via Sigstore, and delayed ingestion for organizations. Written from the perspective of both a PyPA maintainer and enterprise package infrastructure operator. Includes real attack case studies (Ultralytics, GhostAction, Shai-Hulud) and a phased roadmap for adoption.

Sadly there's no easy way to mark all those Google searches out of date... One of the big goals of this project is to spread the knowledge though, so you reading it means success.

> So much complexity for what is not such a complicated problem to solve.

As someone who actually worked weeks on their spare time, I beg to differ. This is a very complicated problem to solve. And everyone has their own opinion on how things should work, which is goverened by their narrow use case. But you see a "standard" packaging tool needs to be the opposite of narrow use case. The main reason Anacond Inc exists is because they wanted to solve this for data science. Even with them being a relatively big corporation their "solution" is not loved universally, but works ok most of the time.

It's less crazy than you think. The foundation historically never had developer employees (today has just 1 - a CPython core developer that started 3 months ago). The only way taking over a project and making it de facto standard would be to have (IMHO at least) 5 full time employees working on it. That's a big investment the foundation doesn't have and no corporation commited to support that (for at least 3-4 years). Also, there's the huge backlash the PSF would have to deal with from people who inevitable don't like the choosen standard.

not a big fan of it myself, it's great for people new to programming, but it's easy to quickly grow out of it :thinking: