Mention attestations as an open issue

brettcannon · brettcannon · commit 1f36f8afea76 · 2025-01-15T12:59:22.000-08:00
diff --git a/peps/pep-0751.rst b/peps/pep-0751.rst
@@ -1173,6 +1173,18 @@ detail as to differentiate from any other entry for the same package in the file
 (inspired by uv_).
 
 
+Including index-hosted attestatons
+==================================
+
+:ref:`packaging:index-hosted-attestations` specifies attestation details for
+files uploaded to a package index like PyPI. Including some of those details may
+help detect issues with packaging when auditing the file (e.g., the publisher
+suddenly changing).The key reason this isn't included in the PEP is because the
+specification is entirely focused on JSON. In order to bring it to this PEP
+either how to translate JSON to TOML would need to be specified, embed the
+JSON payload as a string, or re-specify some or all of the attestation spec.
+
+
 -------------------------
 Expanding the feature set
 -------------------------
