Jazzband (https://jazzband.co/about/releases) uses an approach that builds 
and pushes the PyPI packages to an intermediate repository that is owned by 
the Jazzband organization.

The Jazzband intermediate repository then allows publishing them from the 
Jazzband organization to PyPI via a push-button deployment from the Travis 
build. 

This eliminates the need for having the public PyPI warehouse credentials 
published to Travis or other target, but requires setting up a private 
repository.

An approach like this (2) of course introduces two additional components to 
the trust chain compared to the current model (1):

1. With a simple PyPI upload, only the PyPI warehouse and the uploader has 
to be ultimately trusted, and package signatures are easy to check against 
known public PGP keys with 2 parties of trust, but
2. with an intermediate private PyPI upload from e.g. Travis. both Travis 
and the private intermediate server have to be trusted in addition to PyPI 
warehouse and the original author with 4 parties of trust.

On Tuesday, 12 February 2019 09:36:09 UTC+2, Florian Apolloner wrote:
>
>
>
> On Monday, February 11, 2019 at 11:01:55 PM UTC+1, Adam Johnson wrote:
>>
>> Jamesie’s suggestion to use CI is also valid but a bunch more work. I 
>> guess the main advantage is you get a blank slate container to work in, 
>> which a fresh checkout to a temp dir provides most of the gain for less 
>> work.
>>
>
> If I remember we have been hesitant in the past because that would require 
> us to give credentials to PyPi etc to the CI service. That said I think 
> that is a risk we could take.
>
> Cheers,
> Florian
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/a1f957d4-87c4-4f09-87cc-d8fefa6c5c98%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to