Skip to content

Commit 16c0a17

Browse files
woodruffwwoodruffw
committed
PEP 807: feedback
Signed-off-by: William Woodruff <william@astral.sh>
1 parent 7a0c198 commit 16c0a17

File tree

1 file changed

+14
-7
lines changed

1 file changed

+14
-7
lines changed

peps/pep-0807.rst

Lines changed: 14 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -153,7 +153,7 @@ The discovery mechanism is as follows:
153153
producing the *discovery key*.
154154

155155
For the above example, the discovery key is
156-
``af030c06750716b1b35852298fe852b90def13dcbd012a5fe5148470f1206bfc``. [#fn-hash]_
156+
``0cace9579789849db6e16d48df183951c8f17582200d84bc93c7678d6c8f78a7``. [#fn-hash]_
157157

158158
4. The uploading client constructs a *discovery URL* by taking the
159159
scheme and authority components (as defined in :rfc:`3986`)
@@ -267,7 +267,10 @@ containing a JSON object with the following fields:
267267

268268
The server **MUST NOT** issue temporary upload credentials
269269
that expire in less than 15 minutes (900 seconds) or more than
270-
6 hours (21,600 seconds) from the time of the request. [#fn-expires]_
270+
6 hours (21,600 seconds) from the time of the request.
271+
272+
The maximum expiry time of 6 hours is chosen to match common runtime limits
273+
on popular CI/CD providers like GitHub Actions.
271274

272275
The uploading client **MAY** use this time (or the minimum specified
273276
above) to determine when to refresh the upload credential, if needed.
@@ -409,18 +412,22 @@ This approach too has downsides:
409412
Footnotes
410413
=========
411414

412-
.. [#fn-hash] ``shasum -a 256 <<< '/legacy/'``
415+
.. [#fn-hash]
416+
.. code-block:: python
417+
418+
>>> import hashlib
419+
...
420+
... path = "/legacy/"
421+
... key = hashlib.sha256(path.encode("utf-8")).hexdigest()
422+
... print(key)
423+
0cace9579789849db6e16d48df183951c8f17582200d84bc93c7678d6c8f78a7
413424
414425
.. [#fn-oidc] Widely used CI/CD and cloud providers various implement "ambient"
415426
OIDC token retrieval mechanisms that aren't standardized.
416427
These various mechanisms are currently abstracted over by
417428
existing components of the Python packaging ecosystem,
418429
such as the `id package <https://pypi.org/p/id>`_.
419430
420-
.. [#fn-expires] The maximum expiry time of 6 hours is chosen to match
421-
common runtime limits on popular CI/CD providers like
422-
GitHub Actions.
423-
424431
Copyright
425432
=========
426433

0 commit comments

Comments
 (0)