Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.python > #16603

Re: Bug#1090897: ITP: python-sigstore-protobuf-specs -- Python bindings for Sigstore's protocol buffer (protobuf) specs

From Simon Josefsson <simon@josefsson.org>
Newsgroups linux.debian.maint.python
Subject Re: Bug#1090897: ITP: python-sigstore-protobuf-specs -- Python bindings for Sigstore's protocol buffer (protobuf) specs
Date 2024-12-21 00:40 +0100
Message-ID <JVUL8-1cWd-11@gated-at.bofh.it> (permalink)
References <JVUL8-1cWd-13@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hi,

I would appreciate packaging review of:

https://salsa.debian.org/python-team/packages/python-sigstore-protobuf-specs

Some questions/concerns:

- Same concern about using PyPI tarballs as for the other packages, some
  files are missing compared to upstream's GitHub repository.  Maybe
  this is actually common for Python packages, and understanding this is
  part of my learning curve.  But it still feels surprising to me, and a
  bit sub-optimal from a supply-chain safety point of view: which
  hosting site to rely on?  PyPI that publish tarballs, or GitHub who
  (should) hold the source code used to generate the tarballs?  How to
  detect when these differ?  What to do about it?

/Simon

Simon Josefsson <simon@josefsson.org> writes:

> Package: wnpp
> Severity: wishlist
> Owner: Simon Josefsson <simon@josefsson.org>
> X-Debbugs-Cc: debian-devel@lists.debian.org, debian-python@lists.debian.org
>
> * Package name    : python-sigstore-protobuf-specs
>   Version         : 0.3.3
>   Upstream Author : The Sigstore Authors
> * URL             : https://github.com/sigstore/protobuf-specs
> * License         : Apache-2
>   Programming Lang: Python
>   Description     : Python bindings for Sigstore's protocol buffer (protobuf) specs
>
>   These are the Python language bindings for Sigstore's protobuf specs.
>
> I plan to maintain this package as part of the Python team:
>
> https://salsa.debian.org/python-team/packages/python-sigstore-protobuf-specs
>
> Work in progress will hopefully be found here:
>
> https://salsa.debian.org/jas/sigstore-protobuf-specs
> https://salsa.debian.org/jas/protobuf-specs
>
> /Simon
>

Back to linux.debian.maint.python | Previous | Next | Find similar

Thread

Re: Bug#1090897: ITP: python-sigstore-protobuf-specs -- Python  bindings for Sigstore's protocol buffer (protobuf) specs Simon Josefsson <simon@josefsson.org> - 2024-12-21 00:40 +0100

csiph-web