I'm curious what would happen if a maintainer's PC is compromised. Is there any line of defense left at that point?
replies(2):
Developer machine will have ssh keys and github tokens that can be used to push a commit on github, that will be built, signed, and uploaded on pypi.
Before I could learn my password and type it on twine. If my machine was stolen no upload on pypi was possible.
Now it's a token file on my disk so if my machine is stolen, then token can be used to publish.
Using github to publish doesn't change anything: if my machine is stolen the token needed to publish is still there, but instead of directly to pypi it will need to go via github first.
But an attacker could simply edit the source code on the maintainer's machine directly, and it could go unnoticed.