We certainly do, but for the sake of documentation I will say:
- I do not reallyy trust a fellow’s laptop. This is not because I do not trust the people using them but because of their position. Due to the position they are in it is way more likely for them to get contacted by new people, try out “new” code etc… making them an ideal target for a targeted attack. Personally I think our release process is kinda yolo and includes way to many manual steps.
- I also trust Github less and less (especially since Microsoft and the Storm-0558 debacle). That said, I think that if Github is compromised there might be bigger fishes to fry than Django, so we might have going that for us.
So what options do we have? Independent of whether any attestation might be a good idea or not, the first steps imo are reproducible builds. We might even have them without knowing it (or via slight adjustments only) since all in all we are just packing up some files from a known revision in a tar/zip and we mostly just need to fix timestamps (we don’t have to worry about compiled code etc). This way it is possible to verify the built release by multiple people before publishing. This makes a compromise of an individual machine even less likely/useful. The next step would be to build the release in CI as well providing another verifier for the reproducible build.
Once we got all that we can consider how we upload to PyPI. More thoughts on that in another post I guess 