Jazzband (https://jazzband.co/about/releases) uses an approach that builds and pushes the PyPI packages to an intermediate repository that is owned by the Jazzband organization.
The Jazzband intermediate repository then allows publishing them from the Jazzband organization to PyPI via a push-button deployment from the Travis build. This eliminates the need for having the public PyPI warehouse credentials published to Travis or other target, but requires setting up a private repository. An approach like this (2) of course introduces two additional components to the trust chain compared to the current model (1): 1. With a simple PyPI upload, only the PyPI warehouse and the uploader has to be ultimately trusted, and package signatures are easy to check against known public PGP keys with 2 parties of trust, but 2. with an intermediate private PyPI upload from e.g. Travis. both Travis and the private intermediate server have to be trusted in addition to PyPI warehouse and the original author with 4 parties of trust. On Tuesday, 12 February 2019 09:36:09 UTC+2, Florian Apolloner wrote: > > > > On Monday, February 11, 2019 at 11:01:55 PM UTC+1, Adam Johnson wrote: >> >> Jamesie’s suggestion to use CI is also valid but a bunch more work. I >> guess the main advantage is you get a blank slate container to work in, >> which a fresh checkout to a temp dir provides most of the gain for less >> work. >> > > If I remember we have been hesitant in the past because that would require > us to give credentials to PyPi etc to the CI service. That said I think > that is a risk we could take. > > Cheers, > Florian > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/a1f957d4-87c4-4f09-87cc-d8fefa6c5c98%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
