Gregory's ServerPosted some notes on the new PyPI digital attestations feature released today, providing digital signatures that help demonstrate that the package you are downloading from PyPI was built from a specific version of the underlying code on GitHub https://simonwillison.net/2024/Nov/14/pypi-digital-attestations/
 2 comments
@whynothugo I like that I can see the git commit hash that was used for the build, which means I can review the code myself |
@simon I understand what this does, but I don’t understand the value of it. It provides validation that the build happened on MS’s server and that they used used a specific checkout. But if builds are not reproducible (eg: use unchecksumed external resources), this guarantees nothing. If builds are properly reproducible, what value does the attestation add?