Comments (4)
I think there are infinitely higher priorities and this is really just a box-ticking exercise. IME your dependencies not having signed commits/tags isn't going to be the biggest security hole in your organization.
That said, if you did want to sign commits/tags you can add a SSH signing key to your GitHub account with e.g.
gh ssh-key add ~/.ssh/id_ed25519.pub --type signing
...and configure git to use it with something like:
git config --global gpg.format ssh
git config --global user.signingkey "~/.ssh/id_ed25519"
git config --global commit.gpgsign true
git config --global tag.gpgsign true
git config --global gpg.ssh.allowedSignersFile "~/.config/git/allowed_signers"
...and you can create the allowed_signers
file with:
echo echo "$(git config --get user.email) $(cat ~/.ssh/id_ed25519.pub)" >> ~/.config/git/allowed_signers
If you create tags via the GitHub UI that won't help you as GitHub creates lightweight tags.
In my own workflow I create signed, annotated tags locally and have GitHub actions create a release automatically.
release.yaml
name: github/release
run-name: "[${{ github.ref_name }}] github/release"
on:
push:
tags:
- '*'
permissions:
contents: write
jobs:
release:
runs-on: ubuntu-latest
steps:
- id: checkout_source
name: Checkout Source
# https://github.com/actions/checkout
uses: actions/checkout@v4
- id: create_release
name: Create Release
shell: bash
env:
GH_TOKEN: ${{ github.token }}
run: |
set -euox pipefail
# https://cli.github.com/manual/gh_release_create
gh release create '${{ github.ref_name }}' \
--repo='${{ github.repository }}' \
--title='Release ${{ github.ref_name }}' \
--generate-notes \
--draft
Note
I'm just adding this for informational purposes, in case you are interested. I'm not actually recommending you spend valuable development time on this!
from msgspec.
I'm willing to try this for at least a few releases. The latest release (0.18.6, currently still building) is made from a signed commit. Closing.
from msgspec.
Releases are initiated via the github UI - all I do is click the "draft a new release" button here when releasing, fill out the info with a new tag, and hit "Publish Release". CI builds the artifacts for pypi and conda-forge. I'm unlikely to make any amendments to this process if they meaningfully increase the release burden - I'm already strapped for OSS time as it is.
How would you go about adding tag signing to this process? What security threat are you hoping this will mitigate? Why should I amend this process to satisfy your request?
from msgspec.
Thanks for creating and supporting this project. I know it is a thankless task to manage an OSS project and it's a lot of work to balance one with a day job.
The main outcome of signing is adding a bit of verification to the software supply chain. Signing helps others verify the state of repo at the tag is as you intended. The tags are signed locally before pushing the tag to Github.
More recent versions of git support signing with an ssh key which is a low friction method if you don't have an existing GPG setup. From there the release tag can be signed with git tag -s $tagname
. Github has builtin support for showing verification labels for signed commits/tags .
from msgspec.
Related Issues (20)
- Capture validation errors without failing container schema
- Cannot introspect generic structs, possibly bug in python stdlib. HOT 1
- typing.Annotated not working as expected.
- Callbacks to `Encoder`/`Decoder` are not respected in `datetime` objects HOT 1
- Callbacks to `Encoder`/`Decoder` are not respected in `datetime` objects HOT 2
- Support setting `strict=False` on specific fields
- Support adding hooks for supported objects types HOT 2
- Hot to get field alias name from Struct? HOT 3
- Struct `__post_init__` is not called when converting to Struct with `from_attributes=True`
- can msgspec provide a faster enum implementation? HOT 1
- Coerce a `None` value to the default HOT 4
- ForwardRef is not supported
- License discrepancy HOT 1
- Support freezegun fake types
- Let json.schema take an enc_hook for handling default values of custom types
- Support encoding any Enum value type
- Json Encoder: dataclass classes are encoded to empty dict
- Tighten typing of msgspec.json.schema
- Support numeric constraints for Decimal values
- Support decoding empty strings as unset for all field types
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from msgspec.