Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump pypi-attestations to v0.0.12 in the runtime lock file #262

Merged
merged 1 commit into from
Sep 20, 2024

Conversation

woodruffw
Copy link
Member

This is a small dep bump, following a discovery we made in trailofbits/pypi-attestations#48 -- Pydantic's default Base64 encode/decode inserts newlines every 76 characters (pydantic/pydantic#9072 (comment)), resulting in encodings that aren't valid "plain" base64 and that aren't consistent with what PEP 740 stipulates.

The good news is that this isn't too problematic since PyPI hasn't persisted any (malformed) attestations yet; the bad news is that it requires this bump 🙂

CC @facutuesca for visibility

Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
Copy link
Member Author

NB: This also requires a change to Warehouse, which I'll be submitting shortly and cross-linking.

woodruffw added a commit to trail-of-forks/warehouse that referenced this pull request Sep 19, 2024
See pypa/gh-action-pypi-publish#262
for additional context.

Signed-off-by: William Woodruff <william@trailofbits.com>
@woodruffw
Copy link
Member Author

Associated Warehouse change: pypi/warehouse#16757

di added a commit to pypi/warehouse that referenced this pull request Sep 19, 2024
* requirements: bump pypi-attestations to 0.0.12

See pypa/gh-action-pypi-publish#262
for additional context.

Signed-off-by: William Woodruff <william@trailofbits.com>

* tests: fixup types

Signed-off-by: William Woodruff <william@trailofbits.com>

---------

Signed-off-by: William Woodruff <william@trailofbits.com>
Co-authored-by: Dustin Ingram <di@users.noreply.github.com>
@henryiii henryiii mentioned this pull request Sep 20, 2024
@webknjaz webknjaz changed the title requirements: bump pypi-attestations to 0.0.12 Bump pypi-attestations to v0.0.12 in the runtime lock file Sep 20, 2024
Copy link
Member

@webknjaz webknjaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Hopefully, this will fix #263...

@webknjaz webknjaz merged commit 897895f into pypa:unstable/v1 Sep 20, 2024
2 checks passed
@woodruffw woodruffw deleted the ww/bump-attestations-req branch September 21, 2024 07:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants