• Woodruff: You shouldn't trust trusted publishing

    From LWN.net@1337:1/100 to All on Tuesday, July 07, 2026 15:30:05
    Woodruff: You shouldn't trust trusted publishing

    Date:
    Tue, 07 Jul 2026 14:27:57 +0000

    Description:
    William Woodruff, better known online as "yossarian", has published a blog post to make the case that users should not place their trust
    in trusted
    publishing : Trusted Publishing is a mechanism for establishing trust between an
    external machine identity (like a CI/CD workflow) and one or more
    projects on a package index/registry. The "trust" in "Trusted
    Publishing" refers to that trust relationship, and not to anything
    else. It is not, and cannot be, a signal for package trust or
    quality. You cannot use it to determine whether a package is safe or
    "good," and PyPI consciously stymies attempts to misuse it for that
    purpose by not rendering it as a "green checkmark" or anything else of
    the sort. Or as another framing: Trusted Publishing is just a form of authentication. It doesn't tell you anything other than that an upload
    was authenticated, which all uploads to PyPI are. LWN covered trusted publishing in June.

    ======================================================================
    Link to news story:
    https://lwn.net/Articles/1081690/


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)