You shouldn't trust Trusted Publishing

35 points by yossarian


fpbgg

This is a good write-up. Trusted Publishing and attestations provide different sets of guarantees against different failure modes, which are both also distinct from what trust means to most users.

justJanne

Trusted Publishing is only possible because over the past 15 years so many open source projects went from self hosting (mailing lists, git repository, bug tracker, build server) to centralized forges.

Now the downsides of centralized forges are becoming more obvious and projects are considering self-hosting again.

But while in the 2010s it was convenience and the social network aspect that pushed projects to centralized forges, now there are many other factors that lock projects in, including Trusted Publishing.


Mistrust authority – promote decentralization.

— "The Hacker Ethics", from Hackers: Heroes of the Computer Revolution (Steven Levy, 1984)