|
|
Subscribe / Log in / New account

The next step in corporate control of 'open source'

The next step in corporate control of 'open source'

Posted Oct 21, 2024 15:54 UTC (Mon) by ballombe (subscriber, #9523)
Parent article: Python PGP proposal poses packaging puzzles

So if you do not have an account on GitHub, GitLab, Google, or Microsoft, then you cannot sign your software ?

to post comments

The next step in corporate control of 'open source'

Posted Oct 21, 2024 16:30 UTC (Mon) by LtWorf (subscriber, #124958) [Link]

That's already the idea with doing uploads on pypi.

They first rendered PGP signatures useless, then removed them because nobody was using them, and made a whole show of forcing everyone to use 2FA (you generate a single globally scoped never expired token now and use that instead of your username and password), but the preferential lane for uploads is to do them directly from github's runners. I guess at some point it will be the only way, which means projects that are on other forges will have to move to one of the blessed ones to upload.

I think python is basically microsoft owned at this point.

The next step in corporate control of 'open source'

Posted Oct 21, 2024 16:59 UTC (Mon) by Nahor (subscriber, #51583) [Link] (6 responses)

From the article:
> they only need to have an account with a provider [...] that uses OpenID Connect (OIDC) to verify identity. Note that [...] it is possible to set up other OIDC providers.

Here is a list of providers:
https://en.wikipedia.org/wiki/List_of_OAuth_providers

The next step in corporate control of 'open source'

Posted Oct 21, 2024 17:44 UTC (Mon) by LtWorf (subscriber, #124958) [Link] (5 responses)

Depends if they allow other providers. Pypi doesn't allow you to use whatever provider you like.

The next step in corporate control of 'open source'

Posted Oct 22, 2024 17:22 UTC (Tue) by Nahor (subscriber, #51583) [Link] (4 responses)

> Depends if they allow other providers.

It's in the article and the excerpt I quoted:
>> [...] Note that [...] it is possible to set up other OIDC providers.

Am I missing something!?

The next step in corporate control of 'open source'

Posted Oct 22, 2024 18:12 UTC (Tue) by LtWorf (subscriber, #124958) [Link] (3 responses)

I am saying that I do not know how it works in this case, but for pypi uploads there is a list of accepted oidc. So using a known protocol isn't indication of openness.

The next step in corporate control of 'open source'

Posted Oct 22, 2024 19:47 UTC (Tue) by Nahor (subscriber, #51583) [Link] (2 responses)

But we are not talking about pypi. If the article didn't specify if Sigstore supports alternative OIDC providers, then sure, you could use pypi as an example of which it might be. But the article, which I assume has been researched, does say it can be changed, so what pypi does is irrelevant and all you're doing is spreading FUD.

The next step in corporate control of 'open source'

Posted Oct 22, 2024 20:04 UTC (Tue) by LtWorf (subscriber, #124958) [Link] (1 responses)

Can you please link the sigstore documentation where it explains how to add a new OIDC? Because I've only seen mentions of google/microsoft but I could not find a documented way to add another.

The next step in corporate control of 'open source'

Posted Oct 22, 2024 20:20 UTC (Tue) by daroc (editor, #160859) [Link]

The documentation on how to add an OIDC provider to fulcio lives here.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds