1.18.17 on pypi.org but not available as tag in this repository #1226
Description
Hi! I'm packaging python-pymupdf for Arch Linux.
Describe the bug (mandatory)
At the time of writing 1.18.17 is out on pypi.org but there is no accompanying tag in this repository.
To fend off potential supply chain attacks and to provide users with a version towards which they may report issues it is best practice to have an accompanying tag to a release on pypi.org.
To Reproduce (mandatory)
https://pypi.org/project/PyMuPDF/1.18.17/#files vs. https://github.com/pymupdf/PyMuPDF/tags
Expected behavior (optional)
A tag is present for each release on pypi.org. Ideally the release on pypi.org and all of its artifacts are created in a CI/CD pipeline from a tag in this repository.
Screenshots (optional)
n/a
Your configuration (mandatory)
- Arch Linux, x86_64
- Python 3.9.6
- 1.18.17 (from source, using a github generated tarball)
Additional context (optional)
Without an accompanying tag/ release it is very hard for downstream distributions to verify whether a release has been done by a malicious thirdparty (as all they would need is access to pypi.org project/account).