← Back to context

Comment by eesmith

2 days ago

According to their docs, they have a "have high standards for overall reliability and security in the operation of a supported Identity Provider: in practice, this means that a home-grown or personal use IdP will not be eligible."

If you think your setup meets those standards, you'll need to use Microsoft (TM) GitHub (R) to contact them.

3 comments

eesmith

Reply
VorpalWay  2 days ago

In other words, it is a clear centralization drive. No two ways about it.

  • eesmith  2 days ago

    PyPI is already centralized.

    Back when I started with PyPI, manual upload through the web interface was the only possibility. Have they gotten rid of that?

    My understanding is that "trusted publishing"[0] was meant as an additional alternative to that sort of manual processing. It was never decentralized. As I recall, the initial version only supported GitHub and (I think) GitLab.

    [0] I do not trust Microsoft as an intermediary to my software distribution. I don't use Microsoft products or services, including GitHub.

    Yes, this makes contacting PyPI support via GitHub impossible for me. That is one of the reasons I stopped using PyPI and instead distribute my wheels from my own web site.