#trusted publishing
Woodruff: Trusted publishing is not a trust signal
8/10lwn.net · ⭐️ 8/10 · 2026-07-07
William Woodruff published a blog post arguing that PyPI's trusted publishing should not be interpreted as a signal of package trust or quality, but rather as a form of authentication. This clarifies a common misconception among developers, which could otherwise lead to over-reliance on trusted publishing for software supply chain security decisions. Woodruff emphasizes that trusted publishing uses OpenID Connect (OIDC) to establish identity between a CI/CD workflow and PyPI, and that PyPI deliberately avoids rendering it as a green checkmark.