> PS: The only piece of automatisation we are missing is the possibility to countersign the released artifacts.
That is going to be (likely) part of the Artifact Distribution Platform. In this case Trusted Publisher is not a replacement of what ADP will be doing, but it is merely to authenticate the upload operation and replace personal keys. The provenance/attestation feature I linked before https://discuss.python.org/t/pep-740-index-support-for-digital-attestations/44498 - Draft PEP 740 when implemented in PyPI will allow us to upload attestations together with the artifacts, which will be cool :) J. On Thu, Jun 20, 2024 at 2:38 PM Piotr P. Karwasz <piotr.karw...@gmail.com> wrote: > Hi Jarek, > > On Thu, 20 Jun 2024 at 14:10, Jarek Potiuk <ja...@potiuk.com> wrote: > > Unless I hear otherwise, I **assume** there are no big reasons against > > this. My plan is that I will add a Github Action (manually triggered, > > limited to release managers only) which will NOT build the packages, but > it > > will download them from `downloads.apache.org` (or dist.apache.org for > RC > > packages) and publish them to PyPI. This should be really "safe" and will > > remove the needs for us to keep local pypi keys to upload the packages. > > For Maven projects like Log4j, the killer feature we use is the > "staging repository" provided by Sonatype Nexus: > > * our CI build automatically creates a Maven staging repository, > creates and uploads the sources and binary archive to subversion and > prepares the release vote and announcement e-mails, > * during the voting period PMC members compile the code in the source > archive and compare the binaries with those in the Maven repo, > * if everything checks out and the vote passes, we publish the staging > repo to `repository.apache.org`. > > I don't know the details on how PyPI works, but some artifact managers > certainly support Python. > In the meantime the process you propose pretty much resembles what we > do in Log4j. > > Piotr > > PS: The only piece of automatisation we are missing is the possibility > to countersign the released artifacts. > If the build process is reproducible, I should be able to sign my > local artifacts and upload the signature to the staging repo as a > confirmation of my +1 vote. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: > security-discuss-h...@community.apache.org > >
