Damus
ARGVMI~1.PIF · 7w
And no, making programmers jump through hoops to publish their code isn't a solution either. When I ended my brief stint maintaining an #npm package, they were cranking up the authentication requirem...
Dr. Bruce Simpson profile picture
@nprofile1q... I had a beard-stroking moment when I saw only 4 "approved" forges are there for PyPi's "Trusted Publisher" feature over the past 48 hours (I've been sciencing the shit out of this very topic right now). They're all "mass market" forges. Neither Codeberg nor SourceHut appear on the list, and to be frank, there's an SBOM case to be made for vendorizing Python dependencies with pdm in a monorepo configuration anyway.
1
Dr. Bruce Simpson · 7w
nostr:nprofile1qy2hwumn8ghj7un9d3shjtnyd968gmewwp6kyqpq9zsljfx8tjyzplququr9xmqctclx0qc2mw5xydzx0udqzrfade4qmtrtl5 One "ecosystem" that has its shit somewhat together is Golang, but that's an appeal to authority: you have to treat Google as the source-of-truth for SBOM security with the centralied Go...