Grrr... here's https://pypi.org/integrity/pydantic...

Grrr... here's https://pypi.org/integrity/pydantic/1.10.19/pydantic-1.10.19-cp310-cp310-macosx_11_0_arm64.whl/provenance compared to:

curl -s -H 'accept: application/vnd.pypi.integrity.v1+json' https://pypi.org/integrity/pydantic/1.10.19/pydantic-1.10.19-cp310-cp310-macosx_11_0_arm64.whl/provenance | jq

I had to search the PyPI source code to figure out the header I needed to view that page! https://github.com/pypi/warehouse/blob/06a2b586773dfeb72c604eb69396a2a8ede3f424/warehouse/api/integrity.py#L62-L67

Firefox hit to https://pypi.org/integrity/pydantic/1.10.19/pydantic-1.10.19-cp310-cp310-macosx_11_0_arm64.whl/provenance

{
"message": "Request not acceptable"
}

$ curl -s -H 'accept: application/vnd.pypi.integrity.v1+json' https://pypi.org/integrity/pydantic/1.10.19/pydantic-1.10.19-cp310-cp310-macosx_11_0_arm64.whl/provenance | jq
{
"attestation_bundles": [
{
"attestations": [
{
"envelope": {
"signature": "ME...",
"statement": "eyJ..."
},
"verification_material": {
"certificate": "MII...

Like 15 November at 2:34 | Open on fedi.simonwillison.net

2 comments

Eric Portis

@simon imo it's good practice for servers to have some kind of URL pattern that overrides the header and triggers equivalent behavior, for times when the URL author wants to do something particular. But in general, the whole purpose of 'em is for the URL author to get out of the way and let the client supply client-specific info (which the URL author *can't* know) to the server.

15 November at 2:47 | Open on front-end.social

Thomas Sibley

@simon to me it all comes down to documentation: whether it’s the separate URLs to get non-HTML or the alternate media types Accept’d, docs are necessary.

https://docs.pypi.org/api/integrity/#get-provenance-for-file

15 November at 3:12 | Open on metasocial.com

Go Up