ActiveState is excited to help provide a new layer of security to Python package publishing through our integration with Trusted Publishing for PyPI. This integration is designed to enhance the security and integrity of Python packages by providing a verified publishing path for package authors, contributors and maintainers.
Automatically Build Python Wheels For Windows, Mac & Linux
Python authors often feel obligated to build their package for all of the major operating systems. While popular packages may have a large ecosystem of contributors who are experts in their chosen OS, other package authors may struggle to set up and maintain build systems for each OS or cross-platform build systems.
By choosing to use ActiveState as their Trusted Publisher, developers gain the ability to create and distribute cross-platform Python wheels across various Python versions. Additionally, they will soon be able to do so with added CPU architectures. All in a simple and automated manner.
ActiveState’s secure build service will automatically build your source code and package it as a wheel, including separate wheels for Windows, Mac and Linux as needed. Depending on how they’re configured in your packages, linked C and/or Rust libraries will automatically be built, as well.
In other words, using a command terminal to execute a handful of rapid commands will allow you to generate, save, and publish your wheel on PyPI (both on pypi.org and test.pypi.org). In this way, you can simplify the publishing process, while ensuring your package has been built in a secure manner.
But it’s not just the secure build process you can benefit from. Developers that integrate Trusted Publishing into their workflow can also take advantage of the dependency management capabilities of the ActiveState Platform. This includes:
- Notifications when dependency vulnerabilities are discovered
- Automatic virtual environment configuration
- Immediate and consistent reproducibility
- Automated dependency resolution when upgrading/updating your package’s dependencies
- Visualizing how your dependency tree changes with new versions of Python
- Rolling back to previous configurations, as required
- Sharing your configuration across your team of contributors and maintainers
This holistic approach can not only make your team more productive, but also strengthen trust in the publishing process.
For those looking to get started using ActiveState as a Trusted Publisher to PyPI, our documentation provides a comprehensive guide to help you through the process.
What is Python Trusted Publishing?
Trusted Publishing empowers authors to publish packages directly to PyPI through a Trusted Publisher such as ActiveState. It leverages the OpenID Connect (OIDC) standard to exchange short-lived identity tokens, removing the necessity for passwords or long-lived API tokens to be shared with third-party systems. By placing trust in an OIDC Identity Provider like ActiveState, PyPI users can securely authenticate without the requirement of storing or sharing API tokens. These tokens, which are tightly scoped and automatically expire, not only bolster security but also streamline the authentication process.
Conclusions: Building a Secure and Collaborative Community
By becoming a Trusted Publisher for PyPI, ActiveState aims to offer an intuitive and simplified publishing process, while encouraging developers to explore and adopt the comprehensive dependency management capabilities of the ActiveState Platform.
ActiveState is committed to working closely with the development community to improve this integration, believing that collaboration is crucial for a safer open-source ecosystem. This is just the start of our journey, as we’re dedicated to providing ongoing improvements to the community. Join our forum to connect with others, find answers, and join discussions.
Don’t forget to register for our April 25, 2024 webinar “Securing Python and Open Source Ecosystems”, where we’ll discuss the importance of establishing trust and reinforcing security within open source repositories, the proactive steps being taken by these repositories and their dependent organizations, and the broader implications for the open source ecosystem as a whole.
