|
|
|
|
|
|
by chippiewill
588 days ago
|
|
|
It proves that a package was definitely uploaded from the correct repo. Without trusted publishers a nefarious actor could use a leaked PyPI API key to upload from anywhere. If the only authorised location is actions on a specific Github repo then it makes a supply chain attack much trickier and much more visible. With the new attestations it's now possible for package consumers to verify where the package came from too. |
|
|