> On Jun 25, 2024, at 12:54 AM, Jarek Potiuk <ja...@potiuk.com> wrote:
>
> FYI. I created a proposal [1] in Airflow to switch to the Trusted Publisher
> workflow and providing consensus, we will implement it.
This is cool.
>
> BTW. Interesting finding - I found out while reading docs, that it's
> recommended to use separate "Github Actions Environment" for such trusted
> publishing workflows, which has the added benefit that you can set up to 6
> reviewers of all the workflows run in such an environment, which removes
> the need of manually adding list of "release managers" who are allowed to
> upload packages to PyPI - and it needs "another reviewer" from the list of
> 6 to approve such upload workflow - which is a nice security feature I have
> not expected.
A quick read includes that these reviewers can include teams which I interpret
as it can easily be the whole of the PMC who have linked to a GitHub account.
>
> I will see how much of that will be reusable - I will also see if there are
> APIs that we can modify "self-serve" to allow self-management of such
> environment configuration, and in case there is, we will contribute it
> along the way to make it easy for other projects (I've already contributed
> small feature there, so I already know how to do it).
I wonder if a future enhancement would be to use an API to connect to the ADP
to confirm that releases to PyPi (and other distribution platforms) has passed
the PMC’s release VOTE!
Best,
Dave
>
> [1] Airflow Proposal to switch to Trusted Publishing via Github Actions
> https://lists.apache.org/thread/t9l91nd4196n9mwsthhnx3qckcj45sxo
> [2] Github Actions Environments:
> https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment
>
>
> J.
>
> On Thu, Jun 20, 2024 at 10:05 PM Jarek Potiuk <ja...@potiuk.com> wrote:
>
>> I have not planned to write an action, I thought more of bash/python to
>> pull the artifacts and use existing official action for publishing, but
>> yeah - good idea - I might package that into reusable action that we could
>> use for other projects. Might be generalisable.
>>
>>
>>
>> On Thu, Jun 20, 2024 at 7:52 PM Greg Stein <gst...@gmail.com> wrote:
>>
>>> Hey Jarek ... note that we have an infrastructure-actions repository for
>>> "official ASF" GH Actions. If you agree with that approach, then you can
>>> dev/test there or we can move your tested Action there when you're ready
>>> to
>>> share it with others.
>>>
>>> Cheers,
>>> Greg
>>> InfraAdmin, ASF
>>>
>>>
>>> On Thu, Jun 20, 2024 at 7:10 AM Jarek Potiuk <ja...@potiuk.com> wrote:
>>>
>>>> Unless I hear otherwise, I **assume** there are no big reasons against
>>>> this. My plan is that I will add a Github Action (manually triggered,
>>>> limited to release managers only) which will NOT build the packages,
>>> but it
>>>> will download them from `downloads.apache.org` (or dist.apache.org for
>>> RC
>>>> packages) and publish them to PyPI. This should be really "safe" and
>>> will
>>>> remove the needs for us to keep local pypi keys to upload the packages.
>>>>
>>>> This will require repo reconfiguration, so I will have to - likely -
>>> open a
>>>> JIRA ticket to INFRA - once I do it, I will be happy to describe the
>>> steps
>>>> for all other projects that upload packages to PyPI and use GitHub.
>>>>
>>>> Does that make sense?
>>>>
>>>> J.
>>>>
>>>>
>>>> On Fri, Jun 14, 2024 at 12:14 PM Jarek Potiuk <ja...@potiuk.com> wrote:
>>>>
>>>>>
>>>>>> My only question is what do the users see in terms of the verified
>>>>>> identity that performed the release. Does it still appear to have
>>> come
>>>>>> from the individual maintainer? The ASF? Somewhere else? I'd only be
>>>>>> concerned if the answer was "somewhere else".
>>>>>>
>>>>>
>>>>> Currently users do not see anything. There was a discussion on
>>> Python's
>>>>> discord about exposing Trusted Published information in PyPI
>>>>>
>>>>
>>> https://discuss.python.org/t/pre-pep-exposing-trusted-publisher-provenance-on-pypi/42337
>>>>> as a "pre-PEP discussion". This resulted in Draft PEP 740 -
>>>>>
>>>>
>>> https://discuss.python.org/t/pep-740-index-support-for-digital-attestations/44498
>>>>> - where you will be able to upload multiple attestations when you
>>> publish
>>>>> your packages. So the thinking is that you can have multiple
>>> attestations
>>>>> of provenance of your package when you upload it to PyPI and a trusted
>>>>> publisher will be just one of them. So in our case we could also add
>>> our
>>>>> own signatures when we publish., This is still draft and we will have
>>> a
>>>>> chance of influencing the direction, I am sure. Generally Michael and
>>> the
>>>>> whole security team are on the spree of onboarding more and more
>>> projects
>>>>> to use trusted publishers and they are planning to discuss and
>>>> implemented
>>>>> more security/provenance features when they reach critical mass (from
>>> the
>>>>> discussions I had - I believe they are doing very well there - and
>>>> having a
>>>>> stories where prominent projects are on-board is going to help with
>>> that
>>>> as
>>>>> well.
>>>>>
>>>>> J.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Mark
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail:
>>>> security-discuss-unsubscr...@community.apache.org
>>>>>> For additional commands, e-mail:
>>>>>> security-discuss-h...@community.apache.org
>>>>>>
>>>>>>
>>>>
>>>
>>
