#36563: Adopt PEP 740 attestations for Django release files on PyPI
-------------------------------------+-------------------------------------
Reporter: JaeHyuckSa | Type: New
| feature
Status: new | Component: Packaging
Version: 5.2 | Severity: Normal
Keywords: PEP740, PyPI, | Triage Stage:
provenance, attestations, | Unreviewed
release-process |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Following the Django Forum discussion (https://forum.djangoproject.com/t
/adopt-pep-740-digital-attestations-for-django-releases/42460/4), I’d like
to explore adding PEP 740 provenance (digital attestations) for Django’s
sdists and wheels on PyPI. This looks doable without runtime changes; the
work should be limited to the release process and docs.
(A) Keep the current manual release and still adopt PEP 740 by setting up
Trusted Publishing on PyPI, generating attestations with pypi-
attestations, and uploading with twine upload --attestations. Adding a
brief post-upload check in the release guide using PyPI’s Integrity API
also seems reasonable. Uploading attestations will likely require a
Trusted Publisher identity.
(B) Alternatively, move releases to GitHub Actions with Trusted Publishing
and use pypa/gh-action-pypi-publish@release/v1. This path would require
changing Django’s release method to GitHub Actions and defining that
workflow in our docs/release process.
--
Ticket URL: <https://code.djangoproject.com/ticket/36563>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/01070198c83aa1eb-5f59f79a-9ee4-4ef1-a2e4-07c92d7d821a-000000%40eu-central-1.amazonses.com.
