[eesmith]

According to their docs, they have a "have high standards for overall reliability and security in the operation of a supported Identity Provider: in practice, this means that a home-grown or personal use IdP will not be eligible."

If you think your setup meets those standards, you'll need to use Microsoft (TM) GitHub (R) to contact them.

[VorpalWay]

In other words, it is a clear centralization drive. No two ways about it.

[eesmith]

PyPI is already centralized.

Back when I started with PyPI, manual upload through the web interface was the only possibility. Have they gotten rid of that?

My understanding is that "trusted publishing"[0] was meant as an additional alternative to that sort of manual processing. It was never decentralized. As I recall, the initial version only supported GitHub and (I think) GitLab.

[0] I do not trust Microsoft as an intermediary to my software distribution. I don't use Microsoft products or services, including GitHub.

Yes, this makes contacting PyPI support via GitHub impossible for me. That is one of the reasons I stopped using PyPI and instead distribute my wheels from my own web site.

[jopsen]

npm is centralized to start with, so how is this a problem?