Mike Fiedler, Code Gardener
Seth Larson
meejah@sethmlarson @miketheman @pypi @vagrantc I'm interested in (once again) publishing my own signed packages on PyPI -- does this happen to help there?
The overall concepts are detailed here: https://docs.pypi.org/trusted-publishers/
TL,DR: using OIDC to generate short-lived access tokens to publish from known publishers, instead of holding on to long-lived API Tokens
Vagrant CascadianWhat sort of "Trusted Publishing" does this do?
Signed packages? Provide sufficient information to attempt and verify #ReproducibleBuilds ? Chains of Provenance?
@vagrantc TL,DR: using OIDC to generate short-lived access tokens to publish from known publishers.
Lots of docs: https://docs.pypi.org/trusted-publishers/
Lots of docs: https://docs.pypi.org/trusted-publishers/
Matthias Mair@miketheman @pypi Not a Gitlab user, just running a small gitea instance.
Is there an issue, blog or PR I could follow to read more about your approach once it is published?
@matmair Sure! You could start with the intro to Trusted Publishers from back in 2023: https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/
And more:
https://blog.pypi.org/posts/2024-04-17-expanding-trusted-publisher-support/
https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/
For this specific work, I'm working on a lot in this issue: https://github.com/pypi/warehouse/issues/15838
@miketheman thank you for the link; I have been looking into adding “trusted publishing” as defined by the WG to a primarily self hosted platform and this will the final puzzle piece to make that reasonable for the deployment scenario.
Thank you for your effort and good luck for the work ahead!