Article 76TJW Woodruff: You shouldn't trust trusted publishing

Woodruff: You shouldn't trust trusted publishing

by
jzb
from LWN.net on (#76TJW)

William Woodruff, better known online as "yossarian", has publisheda blog post to make the case that users should not place their trustin trustedpublishing:

Trusted Publishing is a mechanism for establishing trust between anexternal machine identity (like a CI/CD workflow) and one or moreprojects on a package index/registry. The "trust" in "TrustedPublishing" refers to that trust relationship, and not to anythingelse.

It is not, and cannot be, a signal for package trust orquality. You cannot use it to determine whether a package is safe or"good," and PyPI consciously stymies attempts to misuse it for thatpurpose by not rendering it as a "green checkmark" or anything else ofthe sort.

Or as another framing: Trusted Publishing is just a form ofauthentication. It doesn't tell you anything other than that an uploadwas authenticated, which all uploads to PyPI are.

LWN covered trustedpublishing in June.

External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments