James Bennett on Nostr: There's a lot of malicious and/or uninformed conspiracy theory stuff about the ...
There's a lot of malicious and/or uninformed conspiracy theory stuff about the "Trusted Publishing" features on the #Python Package Index, so let me try to frame it in a way that breaks through:
Trusted Publishing is *not* primarily about PyPI trusting a site. It's about *you* trusting a site.
The point of TP is to let you safely delegate publishing permissions to something you don't own/control. Which is why TP is complex and involves short-lived OIDC tokens, etc.
If you own/control the pipeline, you don't need this! So "how do I self-host TP" is a nonsensical question.
Which means Trusted Publishing doesn't need to support "self hosted" publishing pipelines. If you own and control the pipeline, you can give it a regular PyPI API token.
You only need the added complexity of TP when dealing with something you don't own!
Trusted Publishing is *not* primarily about PyPI trusting a site. It's about *you* trusting a site.
The point of TP is to let you safely delegate publishing permissions to something you don't own/control. Which is why TP is complex and involves short-lived OIDC tokens, etc.
If you own/control the pipeline, you don't need this! So "how do I self-host TP" is a nonsensical question.
Which means Trusted Publishing doesn't need to support "self hosted" publishing pipelines. If you own and control the pipeline, you can give it a regular PyPI API token.
You only need the added complexity of TP when dealing with something you don't own!