Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Except that also for trusted publishing, they only allowed github in the beginning and eventually added a couple of other providers. But if you're not google or microsoft you won't be added.


These kinds of comments are borderline mendacious: you can observe, trivially, that 50% of the Trusted Publishers currently known to PyPI are neither Google nor Microsoft controlled[1].

If PyPI accepts two more likely ones, a full 2/3rds will unrelated to GitHub.

[1]: https://docs.pypi.org/trusted-publishers/adding-a-publisher/


Ping me when one of them will be an open source entity rather than a company.


https://docs.pypi.org/trusted-publishers/internals/#how-do-i...


Wow. I get to choose one from a total of FOUR large corporations! Amazing openness!


Once again: this is constrained by design. If you don’t want to use OpenID Connect, just create a token on PyPI and publish the normal way. You are not, and will never be, required to use this feature.


Wow, you can use a whole two other providers from your list: Gitlab and ActiveState. Color me unimpressed.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact