On 8/24/25 10:35 PM, Sam James wrote:
I feel like using something that PyPI makes available has some weight by itself, even if we don't approve of it.
This is 100% where I land on this, unequivocally. We may not agree with the philosophy taken by the upstream (trusting Microsoft with the "keys", effectively), but from my perspective, our ideal is to implement what upstream does -- adding additional verification if we think it's necessary.
I don't have a specific case where this is possible (and I think it'd be a bit brave to suggest it's impossible), but imagine what happens if something is caught by pypi attestation but not Gentoo python project because we didn't implement it? The downside is *huge* of not implementing it and it being the wrong decision. The downside is much, much smaller if we make the change and, as posited here by many, it's not actually improving the security profile for Gentoo.
-JayF
