<p><span class="h-card" translate="no"><a href="https://mastodon.social/@glyph" class="u-url mention">@<span>glyph</span></a></span> <span class="h-card" translate="no"><a href="https://hachyderm.io/@dalias" class="u-url mention">@<span>dalias</span></a></span> <span class="h-card" translate="no"><a href="https://orbital.horse/@emma" class="u-url mention">@<span>emma</span></a></span> <span class="h-card" translate="no"><a href="https://mastodon.social/@mcc" class="u-url mention">@<span>mcc</span></a></span> actually, speaking of PyPI, the (suspiciously named) Trusted Publishing thing that PyPI & GitHub are doing is actually lifting a lot of the pressure off me related to being used as an attack vector</p><p>being able to<br />(a) publish releases from a CI builder, bypassing my local machine entirely, and<br />(b) confirm that the release was built from an authentic git commit<br />removes a lot of reasons for previously manually running `twine upload` from a machine i've used for 10+ years</p>
