top | item 46536771

(no title)

veeti | 1 month ago

Yet in practice, only the big boys are allowed to become "Trusted Publishers":

> In the interest of making the best use of PyPI's finite resources, we only plan to support platforms that have a reasonable level of usage among PyPI users for publishing. Additionally, we have high standards for overall reliability and security in the operation of a supported Identity Provider: in practice, this means that a home-grown or personal use IdP will not be eligible.

How long until everyone is forced to launder their artifacts using Microsoft (TM) GitHub (R) to be "trusted"?

[1] https://docs.pypi.org/trusted-publishers/internals/#how-do-i...

discuss

woodruffw|1 month ago

I wrote a good chunk of those docs, and I can assure you that the goal is always to add more identity providers, and not to enforce support for any particular provider. GitHub was only the first because it’s popular; there’s no grand evil theory beyond that.

VorpalWay|1 month ago

So if I self host my own gitea/forgejo instance, will trusted publishing work for me?