Quick Ways to Secure Your Python PyPI Publishing Workflow!

Want to keep your package safe? Follow these 3 key security steps:

Use GitHub Environments to restrict your publishing workflows
Set up PyPI Trusted Publisher instead of API tokens
Scan your workflows with zizmor (on PyPI) to identify security flaws

Read more in our latest blog post:
https://www.pyopensci.org/blog/python-packaging-security-publish-pypi.html

Can sigtore signatures be uploaded to PyPI, and is there / would there be any use for them?

I was reading through https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/ and noticed the .sigstore files were only uploaded to GitHub Releases.

New blog post on user support frustration, its causes, and how we could build the "infrastructure of equanimity" in #opensource, including ideas for potential cross-project tools & practices.

https://www.harihareswara.net/posts/2023/user-support-equanimity-potential-cross-project-tools-practices-open-source/

Shout-outs to @davidism, Heidi Waterhouse, @offby1, @jacob, Nicole Harris, @bernard, + @georgia for work & conversations that I built on in this piece.

Would be nice to have an indicator on PyPI letting users know when a package is published using trusted publishers.
It adds a nice layer of trust when you can tell that the repo listed is the actual repo that published the artifact.

Whenever Python's packaging ecosystem gets you down, stop for a moment, and think about going to random websites to download a separate .exe installation wizard per-package, manually resolving your dependencies; or modifying distutils so that it doesn't remove manifests from DLLs as you build them...

Stop, and and thank the people who have, and are still, making it _so much_ better than it was.