There have been several security incidents lately that involved compromising GitHub Actions workflows. This has led some to say "GitHub Actions is the weakest link" in publishing and to GitHub publishing
A Python project got hacked where malicious releases were directly uploaded to PyPI. I said on Mastodon that had the project used trusted publishing with digital attestations, then people using a pylock.toml
(This is the blog post version of my keynote from EuroPython 2025 in Prague, Czechia.)
We now have a lock file format specification. That might not sound like a big deal, but for
There are a couple of things I always want to be true when I install Python packages for a project:
1. I have a virtual environment
2. Pip is up-to-date
For
Back in October, I released mousebender 2023.2. The biggest change was adding support for PEP 714 (which unless you're running a package index you don't need to know