View source for a package, powered by attestations

[simonw]

What's the problem this feature will solve?

I'd like to be able to "view source" for a package before I download it, taking advantage of the new attestations feature.

Describe the solution you'd like

Right now I can do this but it's a bunch of clicks. I can start here: https://pypi.org/project/llm-mistral/#llm_mistral-0.8-py3-none-any.whl - where I see this:

If I click that link through to Sigstore I get this: https://search.sigstore.dev/?logIndex=149649835

I can then construct this URL on GitHub using that information:

https://github.com/simonw/llm-mistral/tree/f590da389e96cfea6980d340ee524622677dc0c3

And that gives me the ability to browse the exact source code I'll get when I use pip install ... to get that wheel.

[simonw]

... hah, it turns out I requested this exact same feature six years ago!

• Feature request: "view source" tool for inspecting package contents #5118

[di]

I'd like to be able to "view source" for a package before I download it, taking advantage of the new attestations feature.

Seems like you want a shortcut to the upstream repository at the commit where the file was published, not what quite what was requested in #5118 (inspect package contents of what has been published to PyPI).

I can then construct this URL on GitHub using that information:

This was discussed in #17072 (comment) and is included as a task in #17001, so I think this should probably be considered a duplicate of that issue.

[di]

Closing as a duplicate of #17001.