TC39 Editors
2025-10-21
plaintext logs
prev next
source on github
22:49
<ljharb>
is it moved to 2pm every day or just this once?
22:49
<ljharb>
trusted publishing isn’t any more secure than our current setup, which is also one factor. It’s equally as secure module the flaw i described.
23:00
<bakkot>
every day
23:01
<bakkot>

I described above why I think trusted publishing is more secure than our current setup:

right now compromise of the publish job would allow an attacker to exfiltrate the token, which gives persistent access to publishing until the token is revoked, and would allow publishing all packages controlled by the tc39 user. with trusted publishing, assuming we remove the secret, it only gives one-off access and only to the one package

what part of that do you think is false, or do you not think that constitutes "more secure" for some other reason?

23:03
<bakkot>
though also to be clear I don't actually care much about the minor difference in security, just that this will continue to work next month after github disables existing non-granular tokens, and that it does not require manually rotating tokens