Skip to content

network: Add PyPIAttestationAvailableCheck #757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mgorny wants to merge 2 commits into from
Closed

network: Add PyPIAttestationAvailableCheck #757

mgorny wants to merge 2 commits into from

Conversation

@mgorny
Copy link
Contributor

@mgorny mgorny commented Sep 3, 2025

Companion to gentoo/gentoo#43549. The code's a bit hacky, suggestions welcome.

Current results: pypi-provenance.txt

@mgorny
Copy link
Contributor Author

mgorny commented Oct 13, 2025

@arthurzam, any opinion on this implementation?

arthurzam
arthurzam reviewed Oct 14, 2025
View reviewed changes
@mgorny
network: Add PyPIAttestationAvailableCheck
fb52b25 
Signed-off-by: Michał Górny <mgorny@gentoo.org>
@mgorny
Add a test
d59db0e 
Signed-off-by: Michał Górny <mgorny@gentoo.org>
@mgorny mgorny marked this pull request as ready for review October 25, 2025 17:24
@mgorny
Copy link
Contributor Author

mgorny commented Oct 25, 2025

Okay, I've added a "positive" test. Unfortunately, I haven't been able to figure out how to make a "negative" test work.

@ferringb
Copy link
Contributor

ferringb commented Nov 22, 2025

Okay, I've added a "positive" test. Unfortunately, I haven't been able to figure out how to make a "negative" test work.

By negative assertion, are you referring to trying to flex these except handlers? If not- what are the failures you're trying to assert, at least at a high level?

This futures/execution setup is new to me, but being attestations are immutable- what's your thoughts on locally caching the results of past positive checks in such a fashion that network request doesn't need to be made again if it's in the cache?

@mgorny mgorny deleted the pypi-provenance branch November 22, 2025 09:34
@mgorny
Copy link
Contributor Author

mgorny commented Nov 22, 2025

Kinda. A test that the result isn't output when attestation URL gives 404.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arthurzam arthurzam arthurzam approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mgorny @ferringb @arthurzam