← Back to context

Comment by pamcake

2 days ago

> if it’s just you on a server in your garage, then there would be no advantage to either you or to the ecosystem for PyPI to federate with your server.

Why not leave decision on what providers to trust to users, instead of having a centrally managed global allowlist at the registry? Why should he registry admin be the one to decide who is fit to publish for each and all packages?

4 comments

pamcake

Reply
woodruffw  2 days ago

> Why not leave decision on what providers to trust to users, instead of having a centrally managed global allowlist at the registry?

We do leave it to users: you can always use an API token to publish to PyPI from your own developer machine (or server), and downstreams are always responsible for trusting their dependencies regardless of how they’re published.

The reason Trusted Publishing is limited at the registry level is because it takes time and effort (from mostly volunteers) to configure and maintain for each federated service, and the actual benefit of it rounds down to zero when a given service has only one user.

> Why should he registry admin be the one to decide who is fit to publish for each and all packages?

Per above, the registry admin doesn’t make a fitness decision. Trusted Publishing is an optional mechanism.

(However, this isn’t to say that the registry doesn’t reserve this right. They do, to prevent spamming and other abuse of the service.)

acdha  2 days ago

They’re running the most popular registry but nothing says you can’t use your own to implement whatever policy you want. The default registry has a tricky balance of needing to support inexperienced users while also only having a very modest budget compared to the companies which depend on it, and things like custom authentication flows are disproportionately expensive.

  • pamcake  2 days ago

    What's the issue exactly?

    They seem to manage to handle account signups with email addresss from unknown domain names just as fine as for hotmail.com and gmail.com. I don't see how this is any different.

    The whole point of standards like OIDC (and supposedly TP) is that there is no need for provider-specific implemenations or custom auth flows as long as you follow the spec and protocol. It's just some fields that can be put in a settings UI configurable by the user.

    • woodruffw  2 days ago

      It’s completely different. An email signup doesn’t involve a persistent trust relationship between PyPI and an OIDC identity provider. The latter imposes code changes, availability requirements, etc.

      (But also: for completely unrelated reasons, PyPI can and will ban email domains that it believes are sources of abuse.)