You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since we're likely to want SLSA build provenance later and it imposes a bunch of restrictions on how a workflow is allowed to be used we should think about building this feature in even if it doesn't get used end-to-end by PyPI now. Creating the provenance file per artifact and then not doing anything with them (unless the user explicitly outputs them to a directory?) might be a good starting point?
The text was updated successfully, but these errors were encountered:
Yes, agreed. I suspect that the BYOB might be challenging to use with something like the manylinux base images that we'll need for #2, but planning for it now (and potentially generating the provenance to do nothing with it) sounds like a good idea.
Should be more straightforward now with the new "Bring your own Builder" feature.
Since we're likely to want SLSA build provenance later and it imposes a bunch of restrictions on how a workflow is allowed to be used we should think about building this feature in even if it doesn't get used end-to-end by PyPI now. Creating the provenance file per artifact and then not doing anything with them (unless the user explicitly outputs them to a directory?) might be a good starting point?
The text was updated successfully, but these errors were encountered: