Why Use Trusted Publishing for PyPI?
Trusted publishing replaces long-lived PyPI API tokens with short-lived OIDC credentials, eliminating the most common way attackers gain unauthorized upload access to PyPI.
Introduction
docs.pypi.org
Incident Report: LiteLLM/Telnyx supply-chain attacks, with guidance - The Python Package Index Blog
Python Package Index shares insights and provides guidance following LiteLLM/Telnyx supply-chain attacks
Attestations: A new generation of signatures on PyPI
For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740. These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring […]
What's going on in my life as a programmer — Tony Narlock
Year-by-year log of Tony Narlock's open source work — new releases, project milestones, and technical writing across libtmux, tmuxp, vcspull, cihai, and related Python tooling.
Attestations: A new generation of signatures on PyPI
For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740. These attestations improve on traditional PGP signatures (which have been disabled on PyPI) by providing key usability, index verifiability, cryptographic strength, and provenance properties that bring […]
Why pylock.toml includes digital attestations
A Python project got hacked where malicious releases were directly uploaded to PyPI. I said on Mastodon that had the project used trusted publishing with digital attestations, then people using a pylock.toml file would have noticed something odd was going on thanks to the lock file including attestation data.