Woodruff: You shouldn't trust trusted publishing [LWN.net]
LWN<br>.net<br>News from the source
Content Weekly Edition<br>Archives<br>Search<br>Kernel<br>Security<br>Events calendar<br>Unread comments
LWN FAQ<br>Write for us
Edition Return to the Briefs page
User:<br>Password: |
Log in /<br>Subscribe /<br>Register
Woodruff: You shouldn't trust trusted publishing
[Posted July 7, 2026 by jzb]
William Woodruff, better known online as "yossarian", has published<br>a blog post to make the case that users should not place their trust<br>in trusted<br>publishing:
Trusted Publishing is a mechanism for establishing trust between an<br>external machine identity (like a CI/CD workflow) and one or more<br>projects on a package index/registry. The "trust" in "Trusted<br>Publishing" refers to that trust relationship, and not to anything<br>else.
It is not, and cannot be, a signal for package trust or<br>quality. You cannot use it to determine whether a package is safe or<br>"good," and PyPI consciously stymies attempts to misuse it for that<br>purpose by not rendering it as a "green checkmark" or anything else of<br>the sort.
Or as another framing: Trusted Publishing is just a form of<br>authentication. It doesn't tell you anything other than that an upload<br>was authenticated, which all uploads to PyPI are.
LWN covered trusted<br>publishing in June.
to post comments
Isn't the solution a rebrand?
Posted Jul 7, 2026 17:58 UTC (Tue)<br>by walters (subscriber, #7396)<br>[Link] (3 responses)
How about rebranding to "OIDC-linked publishing"?
Isn't the solution a rebrand?
Posted Jul 7, 2026 18:36 UTC (Tue)<br>by rgmoore (✭ supporter ✭ , #75)<br>[Link] (2 responses)
I completely agree it's a branding problem, and it's 100% their fault. If it's really an authentication mechanism rather than a trust mechanism, they shouldn't have called it "trusted" anything.
Isn't the solution a rebrand?
Posted Jul 7, 2026 19:19 UTC (Tue)<br>by LawnGnome (subscriber, #84178)<br>[Link] (1 responses)
I pretty regularly make that complaint. It is what it is at this point, since it's become a term of art, but it's honestly made it harder to educate people about what it actually does.
Isn't the solution a rebrand?
Posted Jul 9, 2026 11:15 UTC (Thu)<br>by kpfleming (subscriber, #23250)<br>[Link]
Sadly it is a 'technically correct' term (which as we all know is the best kind of correct), since it literally only addresses the publishing process and not the content which was published. People will assume it means more than it does, of course, but naming things is hard too.
Delegated authentication is a trust signal
Posted Jul 7, 2026 18:41 UTC (Tue)<br>by roguelazer (subscriber, #101286)<br>[Link] (2 responses)
I disagree quite a bit, actually. I've been at multiple companies that have had PyPI credentials specifically compromised — it's a high-value credential that, until recently, only supported username+password authentication, and most people who publish packages do so very infrequently. Also, because team management is such an enormous pain in the butt on PyPI, NPM, and most of the other platforms, many companies end up using shared credentials which inevitably end up getting leaked.
Trusted Publishing with a good IdP tells me that authentication has been offloaded to a third party who hopefully has reasonable tools in place for things like enforcing passkeys on all logins and integrating with enterprise identity governance systems; a package that was published through Trusted Publishing, to me, is less likely to be malware published because someone got a hold of the shared username and password that $BIGCO has used to put out all of their python packages since 2011. Obviously it's not attesting to the quality of the contents of the package (nothing other than downloading it and reading all the code can do that), but it's still a signal.
Pragmatically, one of the goals of a package manager like PyPI or NPM or Cargo is to make it so that the developers who have to do the essential work of reviewing every change to every dependency can do so a little faster and more easily; every signal they can share helps. Some day maybe we'll even get package managers that can make attestations like "the contents of this package match the contents of this git repo at this sha" for us!
All of that being said, PyPI specifically has a broken trusted publishing implementation for one of the most common use-cases (publishing from GitHub Actions with reusable workflows), which is quite a bummer...
Delegated authentication is a trust signal
Posted Jul 8, 2026 0:17 UTC (Wed)<br>by LtWorf (subscriber, #124958)<br>[Link] (1 responses)
No worries, next time they will compromise your private ssh keys and/or your github tokens instead.
Or just compromise your github runner.
Delegated authentication is a trust signal
Posted Jul 10, 2026 10:01 UTC (Fri)<br>by muase (subscriber, #178466)<br>[Link]
I see what you’re going at, but I disagree with that kind of argument, because it implies that security is a binary state, while in reality it’s a continuum. There...