top | item 46531261

(no title)

epage | 1 month ago

As I'm not familiar with the npm ecosystem so maybe I'm misunderstanding this but it sounds like they removed support for local publishes (via a token) in favor of CI publishing using Trusted Publishing.

If that is correct, I thought this was discussed when Trusted Publishing was proposed for Rust that it was not meant to replace local publishing, only harden CI publishing.

discuss

woodruffw|1 month ago

> If that is correct, I thought this was discussed when Trusted Publishing was proposed for Rust that it was not meant to replace local publishing, only harden CI publishing.

Yes, that's right, and that's how it was implemented for both Rust and Python. NPM seems to have decided to do their own thing here.

(More precisely, I think NPM still allows local publishing with an API token, they just won't grant long-lived ones anymore.)

the_mitsuhiko|1 month ago

I think the path to dependency on closed publishers was opened wide with the introduction of both attestations and trusted publishing. People now have assigned extra qualities to such releases and it pushes the ecosystem towards more dependency on closed CI systems such as github and gitlab.

It was a good intention, but the ramifications of it I don't think are great.

greggman65|1 month ago

Rust and Python appear to still long lived ones so it's only a matter of time until they get the same issues it would seem?