Post Syndicated from original https://lwn.net/Articles/929830/

The Python Package Index (PyPI) has, like
many language-specific repositories, had ongoing problems with malicious uploads. PyPI
is now launching an authentication mechanism called trusted
publishers in an attempt to fight this problem.

Instead, PyPI maintainers can configure PyPI to trust an identity
provided by a given OpenID Connect Identity Provider (IdP). This
allows allows PyPI to verify and delegate trust to that identity,
which is then authorized to request short-lived, tightly-scoped API
tokens from PyPI. These API tokens never need to be stored or
shared, rotate automatically by expiring quickly, and provide a
verifiable link between a published package and its source.