On 14/06/2024 09:10, Jarek Potiuk wrote:
Hello everyone,
TL;DR; I would like to hear what you think about using GitHub Actions as a
Trusted Publisher to publish Python packages to PyPI?
<snip/>
If the process includes a check that the binary is identical to the one
published by the ASF this all looks reasonable to me.
My only question is what do the users see in terms of the verified
identity that performed the release. Does it still appear to have come
from the individual maintainer? The ASF? Somewhere else? I'd only be
concerned if the answer was "somewhere else".
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org
For additional commands, e-mail: security-discuss-h...@community.apache.org
