Skip to content

Commit

Permalink
Merge pull request #44 from sethmlarson/trusted-publisher-nits
Browse files Browse the repository at this point in the history
Add byline, link in README, fix ordering
  • Loading branch information
di authored Jul 11, 2024
2 parents ba51c33 + ae1670b commit 8ccb8a6
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 4 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ The working group may create:

See also https://repos.openssf.org/

* **[Trusted Publishers for All Package Repositories](https://repos.openssf.org/trusted-publishers-for-all-package-repositories)** - July 2024
> Guidance for package repositories in adopting Trusted Publishers to authenticate publishing from hosted build environments without using long-lived credentials.
* **[Principles for Package Repository Security](https://repos.openssf.org/principles-for-package-repository-security)** - February 2024
> A security maturity model for package repositories, for assessing current capabilities and roadmapping future improvements.
* **[Build Provenance and Code-signing for Homebrew](https://repos.openssf.org/proposals/build-provenance-and-code-signing-for-homebrew)** - July 2023
Expand Down
7 changes: 3 additions & 4 deletions docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,15 @@ This is a list of materials (surveys, documents, proposals, and so on) released
## Documents

* [Trusted Publishers for All Package Repositories](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) - July 2024
> Guidance for package repositories in adopting Trusted Publishers to authenticate publishing from hosted build environments without using long-lived credentials.
* [Principles for Package Repository Security](https://repos.openssf.org/principles-for-package-repository-security) - February 2024
> A security maturity model for package repositories, for assessing current capabilities and roadmapping future improvements.
* [Build Provenance for All Package Registries](https://repos.openssf.org/build-provenance-for-all-package-registries) - July 2023
> Guidance for package registries in adopting build provenance to verifiably link a package back to its source code and build instructions.
* [Trusted Publishers for All Package Repositories](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) - July 2024
> Guidance for package repositories in adopting Trusted Publishers to authenticate publishing from hosted build environments without using long-lived credentials.

## Proposals

* [Build Provenance and Code-signing for Homebrew](https://repos.openssf.org/proposals/build-provenance-and-code-signing-for-homebrew) - July 2023
Expand Down
4 changes: 4 additions & 0 deletions docs/trusted-publishers-for-all-package-repositories.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# Trusted Publishers for All Package Repositories

Authors: [Seth Michael Larson (Python Software Foundation)](https://github.com/sethmlarson)

Last updated: July 2024

Trusted Publishers is a new authentication method that builds on the existing OpenID Connect standard (OIDC) for user infrastructure publishing to public package repositories (e.g. CI publishing to PyPI, as opposed to maintainers publishing from their system or Homebrew's centralized builds). Authentication is performed by exchanging OIDC identity tokens for short-lived and tightly scoped API tokens for authenticating with package repository publishing APIs. Using short-lived API tokens removes the need to share long-lived and potentially highly privileged API tokens with external systems when publishing software.

## Why Trusted Publishers?
Expand Down

0 comments on commit 8ccb8a6

Please sign in to comment.