More

di · 2025-11-24T15:30:56 1763998256

Maven Central does not currently support OIDC-based authentication (commonly called "Trusted Publishing").

larusso · 2025-11-24T16:48:44 1764002924

Didn’t know this term. After reading I wonder why short lived tokens get this monocle. But yeah I prefer OIDC over token based access as well. Only small downside I see is the setup needed for a custom OIDC provider. Don’t know the right terms out of my head but we had quite the fun to register our internal Jenkins to become a create valid oidc tokens for AWS. GitHub and GitHub Actions come with batteries included. I mean the downside that a huge vendor can easily provide this and a custom rolled CI needs extra steps / infrastructure.

di · 2025-10-27T16:00:55 1761580855

For some context on the scale of this grant, the PSF took in only $1M in "Contributions, Membership Dues, & Grants" in 2024: https://www.python.org/psf/annual-report/2024/

di · 2025-10-27T15:57:03 1761580623

It says "September 23, 2025" right at the top.

wahnfrieden · 2025-10-27T16:19:30 1761581970

The website hides the date on mobile

di · 2025-10-09T18:40:31 1760035231

Don't be embarrassed, it's a good book (and was my favorite too).

di · 2025-09-11T14:00:30 1757599230

Note that https://peps.python.org/pep-0440/#direct-references says:

> Public index servers SHOULD NOT allow the use of direct references in uploaded distributions. Direct references are intended as a tool for software integrators rather than publishers.

This means that PyPI will not accept your project metadata as you currently have it configured. See https://github.com/pypi/warehouse/issues/7136 for more details.

doctorpangloss · 2025-09-11T16:13:22 1757607202

Guess the guy who wrote this article will learn the hard way: The last 20% of packaging is 800% of your time.

di · on Aug 9, 2023

This is why PyPI recommends using Trusted Publishing (https://docs.pypi.org/trusted-publishers/) which removes the need for long-lived tokens entirely.

di · on June 15, 2023

> An example of this is that PyPI just got the ability to namespace packages.

You're thinking of organizations, which are not namespaces: https://blog.pypi.org/posts/2023-04-23-introducing-pypi-orga...

aranke · on June 15, 2023

Right, but to an average developer, organizations look and feel very much like namespaces.

LWN even used namespaces in the title of the article describing the feature, which doesn’t help the confusion: https://lwn.net/Articles/930509/

di · on June 16, 2023

That article is about the packaging summit talk on introducing namespaces, not about organizations. In fact, when talking about organizations, it explicitly says:

> But support for namespaces is not part of the new feature.

di · on June 14, 2023

Pip supports checksums too. A better link might be https://pip.pypa.io/en/stable/topics/secure-installs/

di · on May 26, 2023

PyPI has never supported 2FA via SMS.

di · on May 11, 2023

Periods are not prohibited in package names, they're just uncommon (e.g., https://pypi.org/project/zope.sqlalchemy/)