This is a great feature, but its name is going to confuse people.
Before I read the article, I thought it was going to be about some kind of additional verification process to check that publishers are not malicious and have adequate security practices, resulting in two tiers of publishers, "trusted" and "untrusted". You might then configure pip to only install packages from "trusted publishers" by default, and you have to go through some scary confirmation prompts to install packages from untrusted ones.
Then I read the article, and I realise it wasn't what I was expecting at all. If you'd called it "OIDC Authenticated Publishers", I would have known what it was about from the start, and wouldn't have walked into the topic with the wrong expectation
Indeed, not the publishers are trusted but rather their authorisation of a delegated publishing action taking or haven taken place in their name.
The name is inaccurate and even misleading in a way that actively undermines the purpose of the entire initiative itself. A mistake which I believe only a name change can and should fix.
That also strikes bad since GitHub Actions isn't a publisher anyways. To me, a package "publisher" is basically just the author. Here it's a CI system or a builder. "Trusted builders" or "trusted pushers" would've made a lot more sense, since the trust is applying to the build system, not the publisher.
> To me, a package "publisher" is basically just the author.
At work, we keep on calling the CI stage which uploads the build artifacts to Artifactory the "publish" stage. Maybe that's the wrong terminology but I've got used to it. And if "publish" is what the stage is doing, it kind of makes sense to call it a "publisher". Maybe that's wrong, especially in the context of PyPI, but it doesn't sound wrong to me.
i think there is some context here that pypi had some blowback 9 months ago on their vetting process: https://news.ycombinator.com/item?id=32037562 so in a sense this is a less arbitrary version of that trusted publisher process.
Before I read the article, I thought it was going to be about some kind of additional verification process to check that publishers are not malicious and have adequate security practices, resulting in two tiers of publishers, "trusted" and "untrusted". You might then configure pip to only install packages from "trusted publishers" by default, and you have to go through some scary confirmation prompts to install packages from untrusted ones.
Then I read the article, and I realise it wasn't what I was expecting at all. If you'd called it "OIDC Authenticated Publishers", I would have known what it was about from the start, and wouldn't have walked into the topic with the wrong expectation