← Back to context

Comment by veeti

2 days ago

Yet in practice, only the big boys are allowed to become "Trusted Publishers":

> In the interest of making the best use of PyPI's finite resources, we only plan to support platforms that have a reasonable level of usage among PyPI users for publishing. Additionally, we have high standards for overall reliability and security in the operation of a supported Identity Provider: in practice, this means that a home-grown or personal use IdP will not be eligible.

How long until everyone is forced to launder their artifacts using Microsoft (TM) GitHub (R) to be "trusted"?

[1] https://docs.pypi.org/trusted-publishers/internals/#how-do-i...

12 comments

veeti

Reply
woodruffw  2 days ago

I wrote a good chunk of those docs, and I can assure you that the goal is always to add more identity providers, and not to enforce support for any particular provider. GitHub was only the first because it’s popular; there’s no grand evil theory beyond that.

  • VorpalWay  1 day ago

    So if I self host my own gitea/forgejo instance, will trusted publishing work for me?

    • woodruffw  1 day ago

      If you had enough users and demonstrated the ability to securely manage a PKI, then I don’t see why not. But if it’s just you on a server in your garage, then there would be no advantage to either you or to the ecosystem for PyPI to federate with your server.

      That’s why API tokens are still supported as a first-class authentication mechanism: Trusted Publishing is simply not a good fit in all possible scenarios.

      5 replies →

    • eesmith  1 day ago

      According to their docs, they have a "have high standards for overall reliability and security in the operation of a supported Identity Provider: in practice, this means that a home-grown or personal use IdP will not be eligible."

      If you think your setup meets those standards, you'll need to use Microsoft (TM) GitHub (R) to contact them.

      3 replies →