sigstore-python VS Nuitka

You could use `pip-compile` if you want full pinning. That's what we do on another project -- we use GitHub Actions with `pip-compile` to provide a fully frozen copy of the dependency tree for users who'd like that[1].

In the context of `pip-audit`, that makes a little less sense: most of our dependencies are semantically versioned, and we'd rather users receive patches and fixes to our subdependencies automatically, rather than having to wait for us to release a corresponding fix version. Similarly, we expect users to install `pip-audit` into pre-existing virtual environments, meaning that excessive pinning will produce overly conservative dependency conflict errors.

[1]: https://github.com/sigstore/sigstore-python/tree/main/instal...

The conflicting advice is a serious problem.

I hope you'll forgive me for adding one additional piece of advice: for many Python packages, the only packaging metadata you need is `pyproject.toml`. You don't even need `setup.py` anymore, so long as you're using a build backend that supports editable installs with `pyproject.toml`.

Here's an example of a Python package that does everything in `pyproject.toml`[1]. You should be able to copy that into any of your projects, edit it to match your metadata, and everything will work exactly as if you have a `setup.cfg` or `setup.py`.

[1]: https://github.com/sigstore/sigstore-python

You're right, both the infrastructure and metadata for cryptographic signatures on Python packages (both wheels and sdists) isn't quite there yet.

At the moment, we're working towards the "e2e" scheme you've described by adding support for Sigstore[1] certificates and signatures, which will allow any number of identities (including email addresses and individual GitHub release workflows) to sign for packages. The integrity/availability of those signing artifacts will in turn be enforced through TUF, like you mentioned.

You can follow some of the related Sigstore-in-Python work here[2], and the ongoing Warehouse (PyPI) TUF work here[3]. We're also working on adding OpenID Connect token consumption[4] to Warehouse itself, meaning that you'll be able to bootstrap from a trusted GitHub workflow to a PyPI release token without needing to share any secrets.

[1]: https://www.sigstore.dev/

[2]: https://github.com/sigstore/sigstore-python

[3]: https://github.com/pypa/warehouse/pull/10870

[4]: https://github.com/pypa/warehouse/pull/11272

Thanks for the feedback! I'm Syrus, main author of the work on py2wasm.

We already opened a PR into Nuitka to bring the relevant changes upstream: https://github.com/Nuitka/Nuitka/pull/2814

We envision py2wasm being a thin layer on top of Nuitka, as also commented in the article.

From what we gathered, we believe that there's usefulness on having py2wasm as a separate package, as py2wasm would also need to ship the precompiled Python distribution (3.11) for WASI (which will not be needed for the other Nuitka use cases), apart of also shipping other tools that are not directly relevant for Nuitka

This is a good place to mention https://nuitka.net/ which aims to compile python programs into standalone binaries.

For Python, you could make a proper deployment binary using Nuitka (in standalone mode – avoid onefile mode for this). I'm not pretending it's as easy as building a Go executable: you may have to do some manual hacking for more unusual unusual packages, and I don't think you can cross compile. I think a key element you're getting at is that Go executables have very few dependencies on OS packages, but with Python (once you've sorted the actual Python dependencies) you only need the packages used for manylinux [2], which is not too onerous.

[1] https://nuitka.net/

[2] https://peps.python.org/pep-0599/#the-manylinux2014-policy

glee is rich in blogging features but has some drawbacks. One of the main drawbacks is its compatibility with multiple operating systems and system architectures. We lost one potential customer due to glee incompatibility in macOS. Another major issue is the deployment time. We built the first version of glee entirely in Python and used nuitka, nuitka compiles Python programs into a single executable binary file. We need to create three separate stages for creating executable binaries for Windows, Mac, and Linux in deployment, and it takes around 20 minutes to complete.

There is already an AOT compiler for Python: Nuitka[0]. But I don't think it's much faster.

And then there is mypyc[1] which uses mypy's static type annotations but is only slightly faster.

And various other compilers like Numba and Cython that work with specialized dialects of Python to achieve better results, but then it's not quite Python anymore.

[0] https://nuitka.net/

[1] https://github.com/python/mypy/tree/master/mypyc

Nuitka deals pretty well with those in general: https://nuitka.net/

Hi HN,

Has anyone explored Nuitka [1] and developed understanding from a blank slate?

Is there any toy version of this, so that one can start playing with the language translation concepts?

Is there any underlying theory/inspiration upon which this project is built?

Are there any similar projects, in say other languages?

[1] https://github.com/Nuitka/Nuitka

That's more of cultural problem in the Python community.

If I provide an end user software to my client written an Python (so not a backend, not a lib...), I will compile it with nuitka (https://github.com/Nuitka/Nuitka) and hide the stack trace (https://www.bitecode.dev/p/why-and-how-to-hide-the-python-st...) to provide a stand alone executable.

This means the users don't have to know it's made with Python or install anything, and it just works.

However, Python is not like Go or Rust, and providing such an installer requires more than work, so a huge part of the user base (which have a lot of non professional coders) don't have the skill, time or resources to do it.

And few people make the promotion of it.

I should write an article on that because really, nobody wants to setup python just to use a tool.

As for a simpler option, you could use a "compiler": https://github.com/Nuitka/Nuitka