53 minutes ago · 8 min read1546 words · Culture · hide · 0 comments

…because Trusted Publishing isn’t for you (or me) to trust! It’s for the machines. Trusted Publishing is an authentication scheme that involves machine-to-machine trust. If you find yourself arguing (or for!) against Trusted Publishing on the basis that you (a human) can’t (or can) trust it then you’re making a category error, one that PyPI is careful to help you not make. I wrote about this indirectly about two years ago, but I left this observation implicit rather than laying it out explicitly. This is an attempt to correct that mistake. Quick recap# “Trusted Publishing” is a term of art that PyPI uses to describe a form of authentication on top of OpenID Connect (OIDC) federation. PyPI released it in 20231, and it’s since been adopted widely by other packaging ecosystems (including npm, RubyGems, crates.io, and NuGet). The basic observation behind Trusted Publishing is twofold: Long-lived credentials (like index API tokens) are difficult to secure, and are often over-scoped because…

No comments yet. Log in to reply on the Fediverse. Comments will appear here.