[Git][reproducible-builds/reproducible-website][master] vienna2025: add d3 python notes

[lynxis lazus (@lynxis)]

lynxis lazus pushed to branch master at Reproducible Builds / reproducible-website


Commits:
f82c1295 by Alexander Couzens at 2025-10-30T12:27:07+01:00
vienna2025: add d3 python notes

- - - - -


2 changed files:

- _events/vienna2025/agenda.md
- + _events/vienna2025/agenda/d3-python.md


Changes:

=====================================
_events/vienna2025/agenda.md
=====================================
@@ -149,7 +149,7 @@ The day will start with a summary of Day 2 outcomes and a Day 3 Agenda Overview.
 ** NOTES: https://pad.riseup.net/p/rbsummmit2025-d3-engagingacademia-keep
 
 * Python
-** NOTES: https://pad.riseup.net/p/rbsummmit2025-d3-python-keep
+** [NOTES](/events/vienna2025/agenda/d3-python)
 
 * RB Definition
 ** NOTES: https://pad.riseup.net/p/rbsummmit2025-d3-rbdefinition-keep


=====================================
_events/vienna2025/agenda/d3-python.md
=====================================
@@ -0,0 +1,55 @@
+# attestation for python
+
+## short recap on trusted publishing:
+
+* pep740: PEP 740 – Index support for digital attestations
+* oidc can be used to login by authing by a 3rd party auth provider
+* uses oidc to get a short lived token to upload a release
+* improves the authentication to upload of the artifcats, but not signes the artificate
+* use a machine id as identity
+* token is only valid for 15 minutes
+* the attestation is also put into sigstore
+* attestation contains git repo/hash indirect as a link
+* depends on sixstore to verify the validity of the signing key
+
+## general discussion
+
+python-sphinx may include sixstore and might give an example how to do attestation.
+getting source code versions out of pypi is very hard/difficult or not even possible for many packages
+
+ossrebuild has a project which tries to find the right source code of a pypi package.
+ossrebuild provide attestation for rebuilds.
+
+In the whl archive is a WHEEL file, which describes some environment/meta data.
+
+How to specify the build environment?
+How to sepcify the run time environment?
+
+* sbom might help here
+* python dependencies (at build time, at run time)
+* system run time dependencies (e.g. c libraries, lxml)
+* system build time dependencies (e.g. c library headers)
+
+E.g. compiling lxml python module or psql, they require toolchains.
+
+What does in-toto specify about dependencies?
+
+.buildinfo is required, either as part of the attestation or as artifact.
+
+attestation might have useful information to rebuild, but was created for a different reason
+
+github runners are fully packed and changes over time.
+the github workflow will run on different runners over time.
+
+The package manager could do a lot of things to help r-b.
+
+pushing through the pep takes a long time.
+maybe try to do an experimental approach to add support for a package manager (e.g. hatch or other).
+
+* engaging with package managers is necessary
+ * to understand issues of attestations
+ * to solve reproducibility issues that originate during build time by the build backend
+* Finding a way to better understand how attestation may help in the cause of reproducible builds.
+* Recording the environment in programming languages should be as important as in distribution
+* It is important to find a nice trade-off to store only necessary information for a build and not everything, otherwise we push towards a “it builds on my fancy machine” but nowhere else.
+



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f82c129552c163dbc0ae658cc066f1549af0f036

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/f82c129552c163dbc0ae658cc066f1549af0f036
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20251030/8fabff38/attachment.htm>