Skip to content

PEP 740: tweak JSON simple API prescriptions #3768

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Jun 12, 2024
Merged

PEP 740: tweak JSON simple API prescriptions #3768

merged 11 commits into from
Jun 12, 2024

Conversation

woodruffw
Copy link
Contributor

@woodruffw woodruffw commented May 1, 2024
edited
Loading

Per discussion with @dstufft: this removes the embedded provenance objects from the simple API and replaces them with digest references, much like the simple index. This has the virtuous effect of reducing the amount of mostly chaff JSON that client API consumers will need to download.

The added Appendix 3 has further details, including a rationale and concrete numbers. These have also been shared in the discussion thread.

This also changes the attestation format: rather than a fixed attestation payload, this now allows in-toto attestation framework-style payloads, wrapped using DSSE's PAE signature payload encoding format. This makes it easier to distinguish the "intent" of different attestations.

📚 Documentation preview 📚: https://pep-previews--3768.org.readthedocs.build/

@woodruffw woodruffw requested a review from dstufft as a code owner May 1, 2024 19:19
hugovk
hugovk reviewed May 1, 2024
View reviewed changes
@woodruffw
Copy link
Contributor Author

Just leaving a comment here for myself: the PEP currently specifies that the "distribution name" goes into the attestation payload, but doesn't say anything about how that name is normalized. So we probably need some additional language in the PEP to say that sdist names get the PEP 625 treatment. Wheel names are already pre-normalized, although maybe we should also "ultranormalize" them to handle different postrelease spellings, etc.

woodruffw
woodruffw commented Jun 5, 2024
View reviewed changes
woodruffw added 2 commits June 5, 2024 17:21
@woodruffw
PEP 740: use hexstrings for digests
0c099aa 
DigestSet in in-toto is too flexible.

Signed-off-by: William Woodruff <[email protected]>
@woodruffw
PEP 740: emphasize base64
3cd14b0 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw mentioned this pull request Jun 5, 2024
Merged
@woodruffw woodruffw mentioned this pull request Jun 6, 2024
Closed
woodruffw
woodruffw commented Jun 6, 2024
View reviewed changes
@woodruffw
PEP 740: precise language
cf47bf2 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw requested a review from hugovk June 12, 2024 18:37
hugovk
hugovk approved these changes Jun 12, 2024
View reviewed changes
woodruffw and others added 2 commits June 12, 2024 16:03
@hugovk hugovk enabled auto-merge (squash) June 12, 2024 20:08
@hugovk hugovk merged commit 67631c3 into python:main Jun 12, 2024
5 of 6 checks passed
@woodruffw woodruffw deleted the ww/740-size branch June 12, 2024 20:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper left review comments

@dstufft dstufft dstufft approved these changes

@hugovk hugovk hugovk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@woodruffw @dstufft @hugovk @haydentherapper @facutuesca