Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I can create a github account. How does that make me trustworthy? How being able to create a github account prevents me from adding a virus in my module?


It's not about the package maintainer, it's about the trustworthiness of the OIDC issuer to prove the identity of a user.

A poorly maintained issuer could leak their secret keys, allowing anyone to impersonate any package from their service.


But what use does it serve to prove that I am user "qioaisjqowihjdoaih" on github?

I mean it only proves I authenticated successfully. Nothing else.


It proves that a package was definitely uploaded from the correct repo.

Without trusted publishers a nefarious actor could use a leaked PyPI API key to upload from anywhere. If the only authorised location is actions on a specific Github repo then it makes a supply chain attack much trickier and much more visible.

With the new attestations it's now possible for package consumers to verify where the package came from too.


But… a github token could leak just as easily?




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact