Comment by woodruffw

> Why not leave decision on what providers to trust to users, instead of having a centrally managed global allowlist at the registry?

We do leave it to users: you can always use an API token to publish to PyPI from your own developer machine (or server), and downstreams are always responsible for trusting their dependencies regardless of how they’re published.

The reason Trusted Publishing is limited at the registry level is because it takes time and effort (from mostly volunteers) to configure and maintain for each federated service, and the actual benefit of it rounds down to zero when a given service has only one user.

> Why should he registry admin be the one to decide who is fit to publish for each and all packages?

Per above, the registry admin doesn’t make a fitness decision. Trusted Publishing is an optional mechanism.

(However, this isn’t to say that the registry doesn’t reserve this right. They do, to prevent spamming and other abuse of the service.)