The next step in corporate control of 'open source'

Posted Oct 22, 2024 17:22 UTC (Tue) by Nahor (subscriber, #51583)
In reply to: The next step in corporate control of 'open source' by LtWorf
Parent article: Python PGP proposal poses packaging puzzles

> Depends if they allow other providers.

It's in the article and the excerpt I quoted:
>> [...] Note that [...] it is possible to set up other OIDC providers.

Am I missing something!?

The next step in corporate control of 'open source'

Posted Oct 22, 2024 18:12 UTC (Tue) by LtWorf (subscriber, #124958) [Link] (3 responses)

I am saying that I do not know how it works in this case, but for pypi uploads there is a list of accepted oidc. So using a known protocol isn't indication of openness.

The next step in corporate control of 'open source'

Posted Oct 22, 2024 19:47 UTC (Tue) by Nahor (subscriber, #51583) [Link] (2 responses)

But we are not talking about pypi. If the article didn't specify if Sigstore supports alternative OIDC providers, then sure, you could use pypi as an example of which it might be. But the article, which I assume has been researched, does say it can be changed, so what pypi does is irrelevant and all you're doing is spreading FUD.

The next step in corporate control of 'open source'

Posted Oct 22, 2024 20:04 UTC (Tue) by LtWorf (subscriber, #124958) [Link] (1 responses)

Can you please link the sigstore documentation where it explains how to add a new OIDC? Because I've only seen mentions of google/microsoft but I could not find a documented way to add another.

The next step in corporate control of 'open source'

Posted Oct 22, 2024 20:20 UTC (Tue) by daroc (editor, #160859) [Link]

The documentation on how to add an OIDC provider to fulcio lives here.