pyflow VS fulcio

Very cool! Of note, I made something along these lines a few years ago, although with a slightly broader scope to also include managing and installing python versions. I abandoned it due to lack of free time, and edge cases breaking things. The major challenge is that Python packages that aren't wheels can do surprising things due to setup.py running arbitrary code. (https://github.com/David-OConnor/pyflow)

Pyflow

Pyflow takes care of the use when you need pyenv to isolate different python versions, pipx to isolate some global python-based tools, and isolated, reproducible builds per project with on tool. I highly recommend people to give it go.

https://github.com/David-OConnor/pyflow#a-thoroughly-biased-...

Pyflow is a similar implementation of PEP582. NGL I wonder if it's better because of how good Rust stuff is. Probably a lot faster. Looks like you can install it via Pypi. I should've tested it before moving to PDM. Though it seems dev is a bit slow. Hmmm.

I’m personally complaining that pip is so much behind cargo. I have some hope with Pyflow though.

I literally stumbled into this issue again today. Has anyone leveraged Pyflow before? It looks pretty slick for keeping things organized. I don't do heavy dev work, just need something to keep things generally tidy. Was curious if anyone had used it and their opinion on it.

PDM is pretty new so it’s not entirely clear how it’ll play out but if you’re interested in PEP 582 then it’s really that or pyflow.

It's a good safeguard, and it's going in the direction of the other initiatives to make python package management default behavior saner.

PEP 852 is the another one to follow up: https://www.python.org/dev/peps/pep-0582/

It basically uses the concept of node_modules, making python interpreters local any local __pypackages__ directory. There are 2 differences though:

- unlike JS, python can only have one version of one lib

- but since having several versions of python often matters, you may have several __pypackages__/X.Y sub dirs to catter to each of them

It does also force you to use "-m" to use commands, which is the best practice anyway. I hope it will make jupyter fix "-m" on windows for them because that's a blocker for beginners.

If you are not already using "-m", start now. It solves a lot of different problems with running python cli programs.

E.G: instead of running "black" or "pylint", do "python -m black" or "python -m pylint". Or course you may want to chose a specific version of python, so "python3.8 -m black" for unix, or "py -3.8 -m black" on windows.

To test out __pypackages__, give a try to the pdm project: https://github.com/pdm-project/pdm

At last, some other tools that I wish people knew more about that solves packaging issues:

- pyflow (https://github.com/David-OConnor/pyflow): it's a package manager like poetry, but it also install whatever python you want like pyenv. Except it provides the binary, no need to compile anything. It's a young project, but I wish it succeeds because it's really a great concept.

- shiv (shiv.readthedocs.io/): it leverage the concept of zipapp, meaning the ability that python has to execute python inside a zip file. It's a successor to pex. Basically it lets you bundle your code + all deps from virtualenv inside a zip, like a Java .war file. You can then run the resulting zip, a .pyz file, like if it was a regular .py file. It will unzip on the first run automatically. It makes deployment almost as easy as with golang.

- nuitka (shiv.readthedocs.io/): take your code and all dependancies, turn them into C, and compiles it. Although it does require a bit of setup, since it needs headers and a compiler, it results reliably in a standalone compiled executable that will run on the same architecture with no need for anything else. Also it will speed up your Python program, up to 4 times.

untrue.

The Root CA is generated by the sigstore community (five folks, two from academia) this is what is used for the trust root for the signing. Right now github exchanges a OIDC token for a sigstore root chained cert.

GitLab are currently adding themselves, to have the same capability.

https://github.com/sigstore/fulcio/pull/1097

They also say thay they integrate with Fulcio which seems to be a self-managing CA. Never tried it, though.

https://docs.sigstore.dev/ :

> sigstore empowers software developers to securely sign software artifacts such as release files, container images, binaries, bill of material manifests and more. Signing materials are then stored in a tamper-resistant public log.

> It’s free to use for all developers and software providers, with sigstore’s code and operational tooling being 100% open source, and everything maintained and developed by the sigstore community.

> How sigstore works: Using Fulcio, sigstore requests a certificate from our root Certificate Authority (CA). This checks you are who you say you are using OpenID Connect, which looks at your email address to prove you’re the author. Fulcio grants a time-stamped certificate, a way to say you’re signed in and that it’s you.

https://github.com/sigstore/fulcio

> You don’t have to do anything with keys yourself, and sigstore never obtains your private key. The public key that Cosign creates gets bound to your certificate, and the signing details get stored in sigstore’s trust root, the deeper layer of keys and trustees and what we use to check authenticity.

https://github.com/sigstore/cosign

> our certificate then comes back to sigstore, where sigstore exchanges keys, asserts your identity and signs everything off. The signature contains the hash itself, public key, signature content and the time stamp. This all gets uploaded to a Rekor transparency log, so anyone can check that what you’ve put out there went through all the checks needed to be authentic.

https://github.com/sigstore/rekor

fulcio is a root CA for code signing certs. Its job is to issue code-signing certificates and to embed OIDC identity into code-signing certificate. From this description we can see that it performs these tasks in steps 2, 3, 4 and 8.

Did you follow the link to the project list on Github? The actual tool for doing the signing, cosign, is just a binary you can install on your device and generate signatures and keys yourself. The "service" part of it seems to just be having your public certificate vouched for by a trusted code signing CA. I don't see anything in the tooling that requires your users to only trust that CA. If you want to sign your cert with your own CA and tell your users to trust that instead, they seemingly can do that, just as you can do that today in browsers. That you can't do it with Firefox extensions and mobile app stores is a limitation intentionally built into the distribution channel. It's not a limitation of PKI itself. iOS, Android, and Mozilla could have chosen to let users install arbitrary trusted CAs. You shouldn't dismiss all PKI based on the fact that a few vendors have chosen to implement it in a crappy way to make walled gardens.

It doesn't say this on the announcement, but looking at the actual PKI service (https://github.com/sigstore/fulcio), it seems to be entirely possible to self-host the service and roll your own CA.