alt Hacker NewsThe attestations are checked into the public transparency log, so they’re still accessible — that’s how I did a decent amount of the triage in the write up. You can find them in the write up by searching for “Sigstore” (I would direct link them, but I’m on mobile).
> Another element here is that the releases seemingly were deleted and re-created? I thought that was prevented by PyPI?
Hmm, where do you see this? The release history on PyPI doesn’t show any recreations[1].
> You can find them in the write up by searching for “Sigstore” (I would direct link them, but I’m on mobile).
Yeah, I know they are in sigstore, I just did not know how to find them. Is there an interface for this I missed?
> Hmm, where do you see this? The release history on PyPI doesn’t show any recreations[1].
Then I completely misunderstood what happened. Was this in fact completely made up releases that were not even intended to be triggered? Eg: a bot released .41 without there being an intent of being an actual .41 release? I thought that UltralyticsAssistant was the developer, not the attacker. Do they also control that thing?