I think you are conflating a CI runner I don't really control with my machine?

I mean, it’s an ephemeral VM that you have root on. You don’t own it, but you control it in every useful sense of the word.

But also, that’s an implementation detail. There’s no reason why PyPI couldn’t accept attestations from local machines (using email identities) using this scheme; it’s just more engineering and design work to determine what that would actually communicate.

▲

some_furry 14 hours ago | parent [-]

It might be worthwhile for someone to do this engineering work; e.g., to make attestations work even for folks that use platforms like Codeberg or self-hosted git.

	▲	woodruffw 14 hours ago \| parent [-]
		Yeah, completely agreed. I think there's a strong argument to be made for Codeberg as a federated identity provider, which would allow attestations from their runners. (This would of course require Codeberg to become an IdP + demonstrate the ability to maintain a reasonable amount of uptime and hold their own signing keys. But I think that's the kind of responsibility they're aiming for.)