Why pylock.toml includes digital attestations

March 27, 2026

A Python project got hacked where malicious releases were directly uploaded to PyPI. I said on Mastodon that had the project used trusted publishing with digital attestations, then people using a pylock.toml file would have noticed something odd was going on thanks to the lock file including attestation data.

Featured Sponsor

Sponsor Django News

Support the community and reach thousands of Django developers

Learn More

Weekly Newsletter

Get the latest Django news, articles, and projects delivered to your inbox every week. Curated by Jeff Triplett & William Vincent.

No spam, ever. Unsubscribe anytime.

Quick Links

Newsletter Archive
Submit a Link
Visit Curated