Collaborative Working Sessions - Python

attestation for python

short recap on trusted publishing:

• pep740: PEP 740 – Index support for digital attestations
• oidc can be used to login by authing by a 3rd party auth provider
• uses oidc to get a short lived token to upload a release
• improves the authentication to upload of the artifcats, but not signes the artificate
• use a machine id as identity
• token is only valid for 15 minutes
• the attestation is also put into sigstore
• attestation contains git repo/hash indirect as a link
• depends on sixstore to verify the validity of the signing key

general discussion

python-sphinx may include sixstore and might give an example how to do attestation. getting source code versions out of pypi is very hard/difficult or not even possible for many packages

ossrebuild has a project which tries to find the right source code of a pypi package. ossrebuild provide attestation for rebuilds.

In the whl archive is a WHEEL file, which describes some environment/meta data.

How to specify the build environment? How to sepcify the run time environment?

• sbom might help here
• python dependencies (at build time, at run time)
• system run time dependencies (e.g. c libraries, lxml)
• system build time dependencies (e.g. c library headers)

E.g. compiling lxml python module or psql, they require toolchains.

What does in-toto specify about dependencies?

.buildinfo is required, either as part of the attestation or as artifact.

attestation might have useful information to rebuild, but was created for a different reason

github runners are fully packed and changes over time. the github workflow will run on different runners over time.

The package manager could do a lot of things to help r-b.

pushing through the pep takes a long time. maybe try to do an experimental approach to add support for a package manager (e.g. hatch or other).

• engaging with package managers is necessary
• to understand issues of attestations
• to solve reproducibility issues that originate during build time by the build backend
• Finding a way to better understand how attestation may help in the cause of reproducible builds.
• Recording the environment in programming languages should be as important as in distribution
• It is important to find a nice trade-off to store only necessary information for a build and not everything, otherwise we push towards a “it builds on my fancy machine” but nowhere else.