Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support PEP 740 Digital Attestation #4427

Open
2 tasks
jornfranke opened this issue Feb 6, 2025 · 1 comment
Open
2 tasks

Support PEP 740 Digital Attestation #4427

jornfranke opened this issue Feb 6, 2025 · 1 comment
Labels
feature-request This issue requests a feature. p3 This is a minor priority issue

Comments

@jornfranke
Copy link

Describe the feature

Boto3 is used by many companies in various projects (https://trailofbits.github.io/are-we-pep740-yet/).

Companies can more safely use boto3 if the package is published with digital attestations according to PEP 740 (https://peps.python.org/pep-0740/).

Hence, boto3 should be published with digital attestations.

Use Case

I want to make sure that the boto3 package on pypi has not been replaced by malicious actors and that the version I download follows certain quality standards.

Proposed Solution

Implement a publishing CI/CD pipeline that generates and uploads digital attestations.

Example:
https://docs.pypi.org/attestations/

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

SDK version used

1.36.15

Environment details (OS name and version, etc.)

Is not environment specific
@jornfranke jornfranke added feature-request This issue requests a feature. needs-triage This issue or PR still needs to be triaged. labels Feb 6, 2025
@RyanFitzSimmonsAK RyanFitzSimmonsAK self-assigned this Feb 7, 2025
@RyanFitzSimmonsAK RyanFitzSimmonsAK added needs-review p3 This is a minor priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Feb 7, 2025
@RyanFitzSimmonsAK
Copy link
Contributor

Hi @jornfranke, thanks for this feature request. I can definitely see the value in this, but we don't have a specific timeline for implementation at the moment. I'll leave this issue up to track this, and others can 👍 to express interest.

@RyanFitzSimmonsAK RyanFitzSimmonsAK removed their assignment Feb 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request This issue requests a feature. p3 This is a minor priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jornfranke @RyanFitzSimmonsAK