"Trusted publishers" on the Python Package Index

The Python Package Index (PyPI) has, likemany language-specific repositories, had ongoing problems with malicious uploads. PyPIis now launching an authentication mechanism called trustedpublishers in an attempt to fight this problem.

Instead, PyPI maintainers can configure PyPI to trust an identityprovided by a given OpenID Connect Identity Provider (IdP). Thisallows allows PyPI to verify and delegate trust to that identity,which is then authorized to request short-lived, tightly-scoped APItokens from PyPI. These API tokens never need to be stored orshared, rotate automatically by expiring quickly, and provide averifiable link between a published package and its source.