From 6ad9800f1d191af3a2f7cc0bac269cadddf24a27 Mon Sep 17 00:00:00 2001 From: Javier de la Puente Date: Thu, 27 Nov 2025 10:27:51 +0100 Subject: [PATCH 1/2] Same as snaps. Pypi by default should not be trusted --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 78269e2..090e425 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -142,7 +142,7 @@ These are: * Snaps [owned by the "canonical" account](https://snapcraft.io/publisher/canonical) * Snaps where the binary is built from a trusted and approved source. -* [PyPi](https://pypi.org/) +* [PyPi](https://pypi.org/) where the binary is built from a trusted and approved source. These sources are considered trusted because we are confident that we understand the way in which they're built, and the security commitments for packages/snaps From 7a067e1f91d0573e6b562dfa671040d8e77fd31a Mon Sep 17 00:00:00 2001 From: Javier de la Puente Date: Thu, 27 Nov 2025 10:36:49 +0100 Subject: [PATCH 2/2] split line --- CONTRIBUTING.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 090e425..d50aca7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -138,11 +138,12 @@ versions. Downloading binaries is only permitted from what are classed as trusted sources. These are: -* The Ubuntu Archives (for debian packages) -* Snaps +* The Ubuntu Archives (for debian packages). +* Snaps. [owned by the "canonical" account](https://snapcraft.io/publisher/canonical) * Snaps where the binary is built from a trusted and approved source. -* [PyPi](https://pypi.org/) where the binary is built from a trusted and approved source. +* [PyPi](https://pypi.org/) where the binary is built from a trusted and + approved source. These sources are considered trusted because we are confident that we understand the way in which they're built, and the security commitments for packages/snaps