Should you trust Trusted Publishing?

In 2023, PyPI started supporting Trusted Publishers: A way to publish Python packages to PyPI without relying on insecure password and short-lived tokens. Three years later, this approach has become the default answer to package registries' security, as it found its way into NPM, crates.io, and RubyGems. But does it actually offer the benefits we hoped it would? Can you really trust the green checkmark, and if you can't, what's the point?

In this talk, I want to look closely at what Trusted Publishers are, and what we might think they are; who they do and do not protect. We'll explore the potential centralization problem of relying on Big Tech, US-based CI providers, leaving little room for smaller players like Codeberg and Sourcehut, as well as self-hosted Git forges and CI engines.

But even when using GitHub, Trusted Publisher may be tricky to get right, exposing different backdoors for the attacker to exploit. I want to discuss the illusion of security Trusted Publishers may give the inexperienced PyPI user; that is, if they actually decide to look at the hidden details of the published artifacts. How can we safeguard our Python projects, and should it be us who safeguards it? I will propose some solutions to this issue, including how the package managers and the PyPI registry itself can help us in this task.

Lastly, we'll reminisce about the past in search of answer. Maybe OpenPGP ‘Web of Trust’ wasn't such a bad idea after all? Can we regain our independence in deciding who we do and don't trust?