This is a pretty misleading title. They don’t do any curation nor additional checks for publishers. This is simply “Trusted Publishing”, akin to SSO in company setting.
As Peter Neumann frequently points out, there is a big difference between ‘trusted’ (you depend on this for core security guarantees) and ‘trustworthy’ (this thing will not compromise your core security guarantees). This seems to be correctly named.
I was not commenting on the word “trusted”, but what comes after it. People publish their packages to pypi, thus, “trusted publishers”, in my eyes, refers to those who publish. Yet, what the article describes is more about the process of publishing, not about who does the publishing.
In this context, the entity doing the publishing (the “publisher”) is a GitHub Action. Normally, you’d establish that action’s permission to publish by giving it a manually created PyPI token; with “trusted publishers,” the publisher is already trusted to mint a short-lived token against its OIDC identity.
Finally, although trusted publishers is currently limited to GitHub Actions, much of the underlying work that went into making this feature possible is generalizable and not specific to a single publisher. We’re interested in supporting the ability to publish from additional services that provide OpenID Connect identities.
It‘s probably up to other project to provide an integration.
This is a pretty misleading title. They don’t do any curation nor additional checks for publishers. This is simply “Trusted Publishing”, akin to SSO in company setting.
As Peter Neumann frequently points out, there is a big difference between ‘trusted’ (you depend on this for core security guarantees) and ‘trustworthy’ (this thing will not compromise your core security guarantees). This seems to be correctly named.
I was not commenting on the word “trusted”, but what comes after it. People publish their packages to pypi, thus, “trusted publishers”, in my eyes, refers to those who publish. Yet, what the article describes is more about the process of publishing, not about who does the publishing.
In this context, the entity doing the publishing (the “publisher”) is a GitHub Action. Normally, you’d establish that action’s permission to publish by giving it a manually created PyPI token; with “trusted publishers,” the publisher is already trusted to mint a short-lived token against its OIDC identity.
Are there any alternatives to GitHub here?
It says it in the article:
It‘s probably up to other project to provide an integration.
In fewer words: no.