Woodruff: You shouldn't trust trusted publishing
Date:
Tue, 07 Jul 2026 14:27:57 +0000
Description:
William Woodruff, better known online as "yossarian", has published a blog post to make the case that users should not place their trust
in trusted
publishing : Trusted Publishing is a mechanism for establishing trust between an
external machine identity (like a CI/CD workflow) and one or more
projects on a package index/registry. The "trust" in "Trusted
Publishing" refers to that trust relationship, and not to anything
else. It is not, and cannot be, a signal for package trust or
quality. You cannot use it to determine whether a package is safe or
"good," and PyPI consciously stymies attempts to misuse it for that
purpose by not rendering it as a "green checkmark" or anything else of
the sort. Or as another framing: Trusted Publishing is just a form of authentication. It doesn't tell you anything other than that an upload
was authenticated, which all uploads to PyPI are. LWN covered trusted publishing in June.
======================================================================
Link to news story:
https://lwn.net/Articles/1081690/
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)