Mike Fiedler, Code Gardener

PyPI does not exist to be your personal or commercial software distribution platform, especially if you intentionally obfuscate your code.

The @osi@social.opensource.org definition includes:

> Deliberately obfuscated source code is not allowed.

More: https://opensource.org/osd

Since you can never be _everywhere_ you want to be at #FOSDEM, sometimes you have to watch back some of the dev room talks you missed.

@a@fedi.lawngno.me from the @rustfoundation@mastodon.social gave a great talk: A phishy case study - attacks on crates.io and others (namely @pypi@fosstodon.org and npmjs.com )

https://fosdem.org/2026/schedule/event/GFA3RJ-a_phishy_case_study/

Go watch it.

On my way home from #FOSDEM

The sheer amount of passion that is created by thousands of people from so many diverse backgrounds and perspectives, with so many ideas and opinions about #OpenSource is infectious and magical, even if for only a short time.

It was great seeing old friends and making new ones, hope to see you in the commit logs soon!

Twas the day before #FOSDEM

New @pypi@fosstodon.org blog

TL, DR:
- Trusted Publishing used for 25% of all files uploaded in Oct 2025
- GitLab Self-Managed now in beta
- Pending Publishers can be added for Organizations, too!

#Python #SupplyChain #Security

Read it here: https://blog.pypi.org/posts/2025-11-10-trusted-publishers-coming-to-orgs/