alt Hacker NewsOne quite annoying element is that as a third party you cannot access the attestations of the deleted releases any more. I really wanted to see if the attestations would help here to figure out what happened. But maybe I’m just not informed enough about where to look.
Another element here is that the releases seemingly were deleted and re-created? I thought that was prevented by PyPI?
The attestations are checked into the public transparency log, so they’re still accessible — that’s how I did a decent amount of the triage in the write up. You can find them in the write up by searching for “Sigstore” (I would direct link them, but I’m on mobile).
> Another element here is that the releases seemingly were deleted and re-created? I thought that was prevented by PyPI?
Hmm, where do you see this? The release history on PyPI doesn’t show any recreations[1].
[1]: https://pypi.org/project/ultralytics/