BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//programme.europython.eu//europython-2026//speaker//XZGYG J BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-europython-2026-M8Q77Z@programme.europython.eu DTSTART;TZID=CET:20260715T104500 DTEND;TZID=CET:20260715T113000 DESCRIPTION:In 2023\, PyPI started supporting Trusted Publishers: A way to publish Python packages to PyPI without relying on insecure password and s hort-lived tokens. Three years later\, this approach has become the defaul t answer to package registries' security\, as it found its way into NPM\, crates.io\, and RubyGems. But does it actually offer the benefits we hoped it would? Can you really trust the green checkmark\, and if you can't\, w hat's the point?\n\nIn this talk\, I want to look closely at what Trusted Publishers are\, and what we _might_ think they are\; who they do and do n ot protect. We'll explore the potential centralization problem of relying on Big Tech\, US-based CI providers\, leaving little room for smaller play ers like Codeberg and Sourcehut\, as well as self-hosted Git forges and CI engines.\n\nBut even when using GitHub\, Trusted Publisher may be tricky to get right\, exposing different backdoors for the attacker to exploit. I want to discuss the illusion of security Trusted Publishers may give the inexperienced PyPI user\; that is\, if they actually decide to look at the hidden details of the published artifacts. How can we safeguard our Pytho n projects\, and should it be us who safeguards it? I will propose some so lutions to this issue\, including how the package managers and the PyPI re gistry itself can help us in this task.\n\nLastly\, we'll reminisce about the past in search of answer. Maybe OpenPGP ‘Web of Trust’ wasn't such a bad idea after all? Can we regain our independence in deciding who we d o and don't trust? DTSTAMP:20260524T122005Z LOCATION:Chamber Hall B (S3B) SUMMARY:Should you trust Trusted Publishing? - Nikita Karamov URL:https://programme.europython.eu/europython-2026/talk/M8Q77Z/ END:VEVENT END:VCALENDAR