home.social

#trustedpublishing — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #trustedpublishing, aggregated by home.social.

  1. Weekend side project: Site that shows a timeline of package registries that support Trusted Publishing (and when support was added).

    To my knowledge, the following package registries support Trusted Publishing:

    - pub.dev
    - PyPI
    - RubyGems
    - JSR
    - crates.io
    - npm
    - NuGet

    jduabe.dev/posts/2025/are-we-t

    #trustedpublishing

  2. Weekend side project: Site that shows a timeline of package registries that support Trusted Publishing (and when support was added).

    To my knowledge, the following package registries support Trusted Publishing:

    - pub.dev
    - PyPI
    - RubyGems
    - JSR
    - crates.io
    - npm
    - NuGet

    jduabe.dev/posts/2025/are-we-t

    #trustedpublishing

  3. I wrote an annotated version of a talk I gave at my local Python meetup (Python WA) a couple of weeks ago; Trusted Publishing & Digital Attestations in the OSS Ecosystem.

    With the recent attacks on popular packages and registries, it's important to learn what tools and techniques are available to increase trust and security in our software supply chain.

    jduabe.dev/posts/2025/trusted-

    #trustedpublishing #attestations

  4. I wrote an annotated version of a talk I gave at my local Python meetup (Python WA) a couple of weeks ago; Trusted Publishing & Digital Attestations in the OSS Ecosystem.

    With the recent attacks on popular packages and registries, it's important to learn what tools and techniques are available to increase trust and security in our software supply chain.

    jduabe.dev/posts/2025/trusted-

    #trustedpublishing #attestations

  5. Setting up trusted publishing with uv in GHA:
    1. set up trusted publishing in pypi
    2. add `permissions: {id-token: write}` and `uv publish` step to the workflow,
    3. profit

    #TrustedPublishing #PythonUv #GithubActions