I'm not sure how someone is supposed to use attestations if PyPI refuses to support the forge they use? I'm not sure how this prevents a package getting maliciously uploaded via Github Actions? To me, this is going to lead to another bincode incident, because it conflates trust in the maintainer with trust in the platform.
I'm not sure how someone is supposed to use attestations if PyPI refuses to support the forge they use? I'm not sure how this prevents a package getting maliciously uploaded via Github Actions? To me, this is going to lead to another bincode incident, because it conflates trust in the maintainer with trust in the platform.