Trusted publishing of other peoples wheels?

Some more background why this is so much harder for python.

If we do this, it needs to become the default IMO, i.e. get the original maintainers invested/involved in the process, because it’ll be the main delivery path to their users. I’m aware that this a very tall order… Speaking of:

One thing that makes this endeavour a couple orders of magnitude more difficult still, is that build farms are expensive, both in terms of resources and maintenance. Such costs are the death of many a good idea in FOSS, because if you can’t find someone to pay for it, it’s just not happening.

For example, conda-forge could not exist without Microsoft (and other providers) offering free CI resources, and without Anaconda footing the bill for Petabytes worth of storage and traffic. Completely aside from that, there’s an army of bots & volunteers, plus a substantial core team (some of which are paid at least in part for their work) to keep things running.

As a counter-example, CRAN has made it such that the default publication path needs to go through a build farm. I just doubt that it scales to Python, because Python is much more of a glue language than R, and so needs to build a much wider variety of stuff across its ecosystem. Having a build farm that does all of {C, C++, Fortran, Rust, CUDA, Java, JavaScript, …} sanely, much less across all relevant platforms, is a mind-boggling amount of work[1].

  1. and would be essentially reinventing conda & conda-forge ↩︎