Mastodon Feed
Boosted by glyph ("Glyph"):
ubernostrum@infosec.exchange ("James Bennett") wrote:
@zzzeek The problem Trusted Publishing aims to solve is that if you let a pipeline auto-publish to PyPI for you, and it has a long-lived PyPI credential for doing that, it's very easy to accidentally expose that credential, and then an attacker who gets it can use it to upload packages for as long as it takes you to notice and revoke the credential.
Trusted Publishing replaces that with a more complex (behind the scenes) dance where the pipeline authenticates to PyPI and is given a short-lived narrow-scoped token. If it gets leaked, an attacker has only a very brief window of time in which to notice and try to exploit before the token expires.