PEP 740: Index support for digital attestations

[woodruffw]

Adds a PEP for "Index support for digital attestations," which proposes changes to the (unstandardized) upload API and two standard index APIs to expose both digital attestations and additional index-level metadata that will assist consumers in verifying those attestations.

For prior pre-PEP discussion, see: https://discuss.python.org/t/pre-pep-exposing-trusted-publisher-provenance-on-pypi/42337/40

---

📚 Documentation preview 📚: https://pep-previews--3618.org.readthedocs.build/pep-0740/

[Rosuav]

Has this been discussed anywhere? Who is sponsoring this?

[woodruffw]

Has this been discussed anywhere?

Yes: https://discuss.python.org/t/pre-pep-exposing-trusted-publisher-provenance-on-pypi/42337/40

Who is sponsoring this?

This is still in draft because I'm currently working with a group of people (including the PyPI administrators) to determine the appropriate sponsor.

[Rosuav]

Has this been discussed anywhere?

Yes: https://discuss.python.org/t/pre-pep-exposing-trusted-publisher-provenance-on-pypi/42337/40

Cool, can you include that link in the PEP draft please? It might end up getting replaced at some point with a different link, but at least that'll give a bit of context to the draft. Bear in mind that not all of us read every typing-related thread in detail :)

[woodruffw]

Cool, can you include that link in the PEP draft please? It might end up getting replaced at some point with a different link, but at least that'll give a bit of context to the draft.

Sure, no problem! I'm on mobile at the moment, but I'll update the draft once I'm in front of a computer. Apologies for any confusion I've caused 🙂

[Rosuav]

Sure, no problem! I'm on mobile at the moment, but I'll update the draft once I'm in front of a computer.

Yep, no rush, just trying to make sure everyone can see what's going on. Thanks!

[dstufft]

I'll take a look through in a bit, but just to publicly record it, I'm fine sponsoring this and being the delegate for it (It's PyPI so I'm the default delegate anyways).

[woodruffw]

I've marked this as ready for review, now that it has a sponsor and PEP-Delegate (thank you @dstufft!)

[ghost]

All commit authors signed the Contributor License Agreement.

[woodruffw]

For visibility, I had to revert my email address change because of this:

                                                                              
Extension error (pep_sphinx_extensions.pep_zero_generator.pep_index_generator)
:                                                                             
Handler <function create_pep_zero at 0x107615760> for event 'env-before-read-docs' threw an exception (exception: some authors have more than one email address listed:
    William Woodruff: {'william@trailofbits.com', 'william@yossarian.net'})
Command exited with exit code: 2

[hugovk]

Yeah, that's a rather annoying restriction, maybe we should consider removing it? Another option is to also use your ToB email in the other PEPs if you prefer.

[woodruffw]

Yeah, removing it would be ideal (but I can imagine it might be non-trivial, if it's a restriction in the first place).

Using my personal email here is not a significant problem -- the ToB email would accurately reflect that this is for work rather than just funsies, but we have it tracked on our side anyways 🙂

[sethmlarson]

Thanks for this! Here are some thoughts from me on this PEP:

[woodruffw]

All feedback above is addressed/resolved, so I think approval/merge is next here (unless I've missed something) 🙂

[hugovk]

Also ping sponsor @dstufft.

[dstufft]

LGTM, let's get the discussion rolling!