sigstore-python
asdf
sigstore-python | asdf | |
---|---|---|
4 | 341 | |
210 | 20,547 | |
0.5% | 1.1% | |
9.3 | 7.6 | |
7 days ago | 3 days ago | |
Python | Shell | |
GNU General Public License v3.0 or later | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sigstore-python
-
How to improve Python packaging, or why 14 tools are at least 12 too many
You could use `pip-compile` if you want full pinning. That's what we do on another project -- we use GitHub Actions with `pip-compile` to provide a fully frozen copy of the dependency tree for users who'd like that[1].
In the context of `pip-audit`, that makes a little less sense: most of our dependencies are semantically versioned, and we'd rather users receive patches and fixes to our subdependencies automatically, rather than having to wait for us to release a corresponding fix version. Similarly, we expect users to install `pip-audit` into pre-existing virtual environments, meaning that excessive pinning will produce overly conservative dependency conflict errors.
[1]: https://github.com/sigstore/sigstore-python/tree/main/instal...
-
Use `Python -m Pip`
The conflicting advice is a serious problem.
I hope you'll forgive me for adding one additional piece of advice: for many Python packages, the only packaging metadata you need is `pyproject.toml`. You don't even need `setup.py` anymore, so long as you're using a build backend that supports editable installs with `pyproject.toml`.
Here's an example of a Python package that does everything in `pyproject.toml`[1]. You should be able to copy that into any of your projects, edit it to match your metadata, and everything will work exactly as if you have a `setup.cfg` or `setup.py`.
[1]: https://github.com/sigstore/sigstore-python
-
Bundling binary tools in Python wheels
You're right, both the infrastructure and metadata for cryptographic signatures on Python packages (both wheels and sdists) isn't quite there yet.
At the moment, we're working towards the "e2e" scheme you've described by adding support for Sigstore[1] certificates and signatures, which will allow any number of identities (including email addresses and individual GitHub release workflows) to sign for packages. The integrity/availability of those signing artifacts will in turn be enforced through TUF, like you mentioned.
You can follow some of the related Sigstore-in-Python work here[2], and the ongoing Warehouse (PyPI) TUF work here[3]. We're also working on adding OpenID Connect token consumption[4] to Warehouse itself, meaning that you'll be able to bootstrap from a trusted GitHub workflow to a PyPI release token without needing to share any secrets.
[1]: https://www.sigstore.dev/
[2]: https://github.com/sigstore/sigstore-python
[3]: https://github.com/pypa/warehouse/pull/10870
[4]: https://github.com/pypa/warehouse/pull/11272
- Project sigstore (free software signing service) just released a library to sign and verify python packages
asdf
-
Install Asdf: One Runtime Manager to Rule All Dev Environments
The main issue most people have with asdf is that it’s annoyingly slow. Not unusably so, but just enough that it’s irritating.
I identified [0] the source for much of it (sub-shells and pipes) and began a PR [1], but became bogged down with BATS testing, and then found mise / rtx, so kind of lost interest. Sorry. You can always implement these if you’d like.
[0]: https://github.com/asdf-vm/asdf/issues/290#issuecomment-1383...
[1]: https://github.com/asdf-vm/asdf/pull/1441
- Show HN: I made a multiple runtime version manager that can be used on Windows
-
Volta – Fastest Node version manager in Rust
Or if you need to manage more than just node, asdf has been around for over a decade and works great. You can use a .tool-versions to change runtimes for each project you have, in addition to managing your global runtime versions
https://asdf-vm.com/
-
Pyenv – lets you easily switch between multiple versions of Python
Why not just use a tool like asdf (https://asdf-vm.com/) or mise (https://mise.jdx.dev/)?
These tools have the advantage of not being multi-taskers and can manage version for all your tools. You wouldn’t need pyenv and npm and rvm and…
We’ve even started committing the .mise.toml files for projects to our repos. That way, since we work on multiple projects that may need multiple versions of the same tool, it’s handled and documented.
-
A Journey to Find an Ultimate Development Environment
The purpose of a version manager is to help you navigate or install any tools for development easily. Version Manager can be one tool for each dependency (e.g. NVM, g) or One tool for all dependencies (e.g. asdf, mise).
-
How to Install Your Python Version on Ubuntu
(asdf)[https://asdf-vm.com/] fully supports Python and almost any other language. I've been using it for Ruby, Python, Elixir, and other languages for years and never looked back.
-
Beginners Intro to Trunk Based Development
Secondly, our development environments must not drift, because then code may behave differently and a change could pass on our machine but fail in production. There are many tools for locking down environments, e.g nix, pkgx, asdf, containers, etc., and they all share the common goal of being able to lock down dependencies for an environment accurately and deterministically. And that needs to be enforced in our local workflow so we don't have to rely on CI environments for correctness. All developers must have environments that are effectively identical to what runs in CI (which itself should be representative of the production environment).
-
Practical Guide to Trunk Based Development
There are many ways this can be done (e.g nix, pkgx, asdf, containers, etc.), and we won’t get into which specific tools to use, because we'll instead cover the essential essence of preventing environment drift:
- Criando seu ambiente com ASDF
-
Kotlin version manager
I've really been enjoying asdf, which is a program that allows you to install specified versions of dev utilities as well as dynamically manage them via shims and .tool-versions files.
What are some alternatives?
sampleproject - A sample project that exists for PyPUG's "Tutorial on Packaging and Distributing Projects"
SDKMan - The SDKMAN! Command Line Interface
publishing-python-packages - Examples and exercises for Publishing Python Packages from Manning Books 🐍 📦 ⬆️
pyenv - Simple Python version management
pigar - :coffee: A tool to generate requirements.txt for Python project, and more than that. (IT IS NOT A PACKAGE MANAGEMENT TOOL)
rbenv - Manage your app's Ruby environment
Nuitka - Nuitka is a Python compiler written in Python. It's fully compatible with Python 2.6, 2.7, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, and 3.11. You feed it your Python app, it does a lot of clever things, and spits out an executable or extension module.
nvm - Node Version Manager - POSIX-compliant bash script to manage multiple active node.js versions
auditwheel - Auditing and relabeling cross-distribution Linux wheels.
volta - Volta: JS Toolchains as Code. ⚡
pip-audit - Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them
HomeBrew - 🍺 The missing package manager for macOS (or Linux)