Support PEP 740 Digital Attestation #3379
Labels
feature-request
This issue requests a feature.
needs-triage
This issue or PR still needs to be triaged.
Comments
jornfranke
added
feature-request
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature
Botocore is used by many companies in various projects (https://trailofbits.github.io/are-we-pep740-yet/).
Companies can more safely use Botocore if the package is published with digital attestations according to PEP 740 (https://peps.python.org/pep-0740/).
Hence, boto3 should be published with digital attestations.
Use Case
I want to make sure that the boto3 package on pypi has not been replaced by malicious actors and that the version I download follows certain quality standards.
Proposed Solution
Implement a publishing CI/CD pipeline that generates and uploads digital attestations.
Example:
https://docs.pypi.org/attestations/
Other Information
No response
Acknowledgements
SDK version used
1.36.15
Environment details (OS name and version, etc.)
Does not depend on an environment
The text was updated successfully, but these errors were encountered: