A recent supply chain attack highlighted the inherent risks of using long-lived tokens to publish packages to PyPI, which was the only option for automated deployment until Trusted Publishing was introduced in 2023. OpenAstronomy's publishing workflows were initially designed around the token-based strategy, and recently added support for using trusted publishing instead.
This project has no visible automated publication mechanism enabled, which suggests that releases are done manually from a maintainer's work station. This is inherently less safe than trusted-publishing, as the work station could be subject to targeted attacks, and downstream users have no way to audit the integrity of the published artifacts.
I'm reporting to all projects I find still relying on insecure publishing strategies, and strongly recommend this project switches to trusted publishing. I'm happy to answer any questions maintainers may have about the process, and I note that most of the work requires administration rights both to the repository and the PyPI project.
A recent supply chain attack highlighted the inherent risks of using long-lived tokens to publish packages to PyPI, which was the only option for automated deployment until Trusted Publishing was introduced in 2023.
OpenAstronomy's publishing workflows were initially designed around the token-based strategy, and recently added support for using trusted publishing instead.This project has no visible automated publication mechanism enabled, which suggests that releases are done manually from a maintainer's work station. This is inherently less safe than trusted-publishing, as the work station could be subject to targeted attacks, and downstream users have no way to audit the integrity of the published artifacts.
I'm reporting to all projects I find still relying on insecure publishing strategies, and strongly recommend this project switches to trusted publishing. I'm happy to answer any questions maintainers may have about the process, and I note that most of the work requires administration rights both to the repository and the PyPI project.