Note on all the #xz drama, there are some technical solutions for such #supplychainattack that can make such an attack way harder, at least to hide the code in tarballs etc.
https://slsa.dev/ e.g. is a solution. Combined with reproducible builds, it ensures that a software artifact is built exactly from the source given in a source repository, with the possibility to prove that and no way for any maintainer to tamper with (in the highest level).
🚀🥳It really helped me to learn more about software supply chain security things including #deps.dev, #go, #SLSA, #SBOM, #scorecard, #distroless, and many more!
🧑🏻💻I highly recommend you take a look at this blog!
Just released MarkupSafe 2.1.2. Aside from fixing a bug, it also provides Python 3.11 wheels, as well as SLSA provenance.
This was the first automated release through GitHub workflows. Push a tag, and it automatically builds sdist and 49 platform wheels, generates SLSA provenance, creates a GitHub release with all the files, waits for review, then publishes them to PyPI.