Sign up to save your podcasts
Or
Share Trusted Publishing
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Trusted Publishing
Join us as Mike Fiedler (AWS Hero, PyPI Safety & Security Engineer, Python Software Foundation) makes the case for eliminating long-lived credentials from your release workflow - before an attacker does it for you.
Mike walks through the real-world incidents that motivated Trusted Publishing, how OIDC-based short-lived tokens work under the hood, and the step-by-step process for setting it up in GitHub Actions. You'll learn how the 2024 Ultralytics compromise was forensically investigated thanks to Sigstore attestations, why that API token in your repo is just a password with a fancy hat, common pitfalls that will have you debugging for four hours, and why deleting your old token after setup is the step everyone forgets. PyPI went from 10% Trusted Publishing adoption in February 2024 to 36% today - this episode is how you become part of that number.
Timestamps
0:00 Welcome & Introduction
4:00 Mike's PyCon US World Tour Recap
8:00 The Scale of PyPI: 13B Requests/Day & 36% Adoption
- 12:09 Why Long-Lived Tokens Fail: Four Attack Models
How to find Mike:
https://www.linkedin.com/in/miketheman/
https://www.python.org/psf-landing/
Links from the show:
View all episodes
By vBrownBag
4.7
3434 ratings
Join us as Mike Fiedler (AWS Hero, PyPI Safety & Security Engineer, Python Software Foundation) makes the case for eliminating long-lived credentials from your release workflow - before an attacker does it for you.
Mike walks through the real-world incidents that motivated Trusted Publishing, how OIDC-based short-lived tokens work under the hood, and the step-by-step process for setting it up in GitHub Actions. You'll learn how the 2024 Ultralytics compromise was forensically investigated thanks to Sigstore attestations, why that API token in your repo is just a password with a fancy hat, common pitfalls that will have you debugging for four hours, and why deleting your old token after setup is the step everyone forgets. PyPI went from 10% Trusted Publishing adoption in February 2024 to 36% today - this episode is how you become part of that number.
Timestamps
0:00 Welcome & Introduction
4:00 Mike's PyCon US World Tour Recap
8:00 The Scale of PyPI: 13B Requests/Day & 36% Adoption
- 12:09 Why Long-Lived Tokens Fail: Four Attack Models
How to find Mike:
https://www.linkedin.com/in/miketheman/
https://www.python.org/psf-landing/
Links from the show: