pyflow
cosign
| pyflow | cosign | |
|---|---|---|
| 12 | 30 | |
| 1,306 | 4,087 | |
| - | 2.2% | |
| 0.0 | 9.6 | |
| about 1 year ago | 3 days ago | |
| Rust | Go | |
| MIT License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
pyflow
-
Uv: Python Packaging in Rust
Very cool! Of note, I made something along these lines a few years ago, although with a slightly broader scope to also include managing and installing python versions. I abandoned it due to lack of free time, and edge cases breaking things. The major challenge is that Python packages that aren't wheels can do surprising things due to setup.py running arbitrary code. (https://github.com/David-OConnor/pyflow)
-
Incompatible Child Dependencies -- how are they resolved?
Pyflow
-
Freezing Requirements with Pip-Tools
Pyflow takes care of the use when you need pyenv to isolate different python versions, pipx to isolate some global python-based tools, and isolated, reproducible builds per project with on tool. I highly recommend people to give it go.
https://github.com/David-OConnor/pyflow#a-thoroughly-biased-...
-
Empty npm package '-' has over 700,000 downloads
Pyflow is a similar implementation of PEP582. NGL I wonder if it's better because of how good Rust stuff is. Probably a lot faster. Looks like you can install it via Pypi. I should've tested it before moving to PDM. Though it seems dev is a bit slow. Hmmm.
-
pip and cargo are not the same
I’m personally complaining that pip is so much behind cargo. I have some hope with Pyflow though.
-
XKCD | Python Environment
I literally stumbled into this issue again today. Has anyone leveraged Pyflow before? It looks pretty slick for keeping things organized. I don't do heavy dev work, just need something to keep things generally tidy. Was curious if anyone had used it and their opinion on it.
-
Moving from pipenv to poetry or PDM
PDM is pretty new so it’s not entirely clear how it’ll play out but if you’re interested in PEP 582 then it’s really that or pyflow.
- Python: Please stop screwing over Linux distros
- Pyflow: An Alternative to Poetry and Pyenv
-
Cooperative Package Management for Python
It's a good safeguard, and it's going in the direction of the other initiatives to make python package management default behavior saner.
PEP 852 is the another one to follow up: https://www.python.org/dev/peps/pep-0582/
It basically uses the concept of node_modules, making python interpreters local any local __pypackages__ directory. There are 2 differences though:
- unlike JS, python can only have one version of one lib
- but since having several versions of python often matters, you may have several __pypackages__/X.Y sub dirs to catter to each of them
It does also force you to use "-m" to use commands, which is the best practice anyway. I hope it will make jupyter fix "-m" on windows for them because that's a blocker for beginners.
If you are not already using "-m", start now. It solves a lot of different problems with running python cli programs.
E.G: instead of running "black" or "pylint", do "python -m black" or "python -m pylint". Or course you may want to chose a specific version of python, so "python3.8 -m black" for unix, or "py -3.8 -m black" on windows.
To test out __pypackages__, give a try to the pdm project: https://github.com/pdm-project/pdm
At last, some other tools that I wish people knew more about that solves packaging issues:
- pyflow (https://github.com/David-OConnor/pyflow): it's a package manager like poetry, but it also install whatever python you want like pyenv. Except it provides the binary, no need to compile anything. It's a young project, but I wish it succeeds because it's really a great concept.
- shiv (shiv.readthedocs.io/): it leverage the concept of zipapp, meaning the ability that python has to execute python inside a zip file. It's a successor to pex. Basically it lets you bundle your code + all deps from virtualenv inside a zip, like a Java .war file. You can then run the resulting zip, a .pyz file, like if it was a regular .py file. It will unzip on the first run automatically. It makes deployment almost as easy as with golang.
- nuitka (shiv.readthedocs.io/): take your code and all dependancies, turn them into C, and compiles it. Although it does require a bit of setup, since it needs headers and a compiler, it results reliably in a standalone compiled executable that will run on the same architecture with no need for anything else. Also it will speed up your Python program, up to 4 times.
cosign
-
Securing CI/CD Images with Cosign and OPA
Cosign: In this context, Cosign from the Sigstore project offers a compelling solution. Its simplicity, registry compatibility, and effective link between images and their signatures provide a user-friendly and versatile approach. The integration of Fulcio for certificate management and Rekor for secure logging enhances Cosign's appeal, making it particularly suitable for modern development environments that prioritize security and agility.
-
An Overview of Kubernetes Security Projects at KubeCon Europe 2023
sigstore is another suite of tools that focuses on attestation and provenance. Within the suite are two tools I heard mentioned a few times at KubeCon: Cosign and Rekor.
-
Spin 1.0 — The Developer Tool for Serverless WebAssembly
Since we can distribute Spin applications using popular registry services, we can also take advantage of ecosystem tools such as Sigstore and Cosign, which address the software supply chain issue by signing and verifying applications using Sigstore's new keyless signatures (using OIDC identity tokens from providers such as GitHub).
-
Iron Bank: Secure Registries, Secure Containers
Use distroless images (which contain only application and its runtime dependencies, and don't include package managers/shells or any other programs you would expect to find in a standard Linux distribution). All distroless images are signed by cosign.
-
Getting hands on with Sigstore Cosign on AWS
$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --cert https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64-keyless.pem --signature https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64-keyless.sig https://github.com/sigstore/cosign/releases/download/v1.13.1/cosign-linux-amd64
-
How much are you 'trusting' a docker image from hub.docker.com?
Another thing to look for is, whether the image is signed using something like cosign (https://github.com/sigstore/cosign). This lets the publisher digitally sign the image, so you at least know that what's on the registry is what they intended to put there. Handy to avoid the risks of attackers squatting similar names and catching typos.
-
What security controls to prevent someone from pushing arbitrary code into production?
i’m late but surprised no one has mentioned cosign
-
Docker build fails on GitHub Action after net7 update
name: Docker # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. on: push: branches: [ "main" ] # Publish semver tags as releases. tags: [ 'v*.*.*' ] pull_request: branches: [ "main" ] paths: - src/MamisSolidarias.WebAPI.Campaigns/Dockerfile - .github/workflows/docker-publish.yml workflow_dispatch: env: # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io IMAGE_NAME: mamis-solidarias/campaigns jobs: build: runs-on: ubuntu-latest permissions: contents: read packages: write # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write steps: - name: Checkout repository uses: actions/checkout@v3 # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@main with: cosign-release: 'v1.13.1' - name: Set up QEMU uses: docker/setup-qemu-action@v2 with: platforms: 'arm64' # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx uses: docker/setup-buildx-action@v2 # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' uses: docker/login-action@v2 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta uses: docker/metadata-action@v4 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=schedule type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=sha # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image id: build-and-push uses: docker/build-push-action@v3 with: context: . platforms: linux/amd64, linux/arm64 file: src/MamisSolidarias.WebAPI.Campaigns/Dockerfile push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} # Sign the resulting Docker image digest except on PRs. # This will only write to the public Rekor transparency log when the Docker # repository is public to avoid leaking data. If you would like to publish # transparency data even for private images, pass --force to cosign below. # https://github.com/sigstore/cosign - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} env: COSIGN_EXPERIMENTAL: "true" # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
-
How to tag base image so images built from it can be tracked
After inspecting the layers i think you should start thinking about signing your images: https://github.com/sigstore/cosign/
-
Understanding Kubernetes Limits and Requests
cosign
What are some alternatives?
Poetry - Python packaging and dependency management made easy
notation - A CLI tool to sign and verify artifacts
PDM - A modern Python package and dependency manager supporting the latest PEP standards
in-toto-golang - A Go implementation of in-toto. in-toto is a framework to protect software supply chain integrity.
dephell - :package: :fire: Python project management. Manage packages: convert between formats, lock, install, resolve, isolate, test, build graph, show outdated, audit. Manage venvs, build package, bump version.
connaisseur - An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster
pants - The Pants Build System
spire - The SPIFFE Runtime Environment
Nuitka - Nuitka is a Python compiler written in Python. It's fully compatible with Python 2.6, 2.7, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, and 3.11. You feed it your Python app, it does a lot of clever things, and spits out an executable or extension module.
spiffe-vault - Integrates Spiffe and Vault to have secretless authentication
WinPython - A free Python-distribution for Windows platform, including prebuilt packages for Scientific Python.
rekor - Software Supply Chain Transparency Log