Is part of the PEP’s intent to shift currently-implemented guidance away {domain}/_/oidc/… to {upload_base}/_/...? In concrete terms, PyPI implementations are currently pointing at https://pypi.org/_/oidc/… and it seems like this is recommending that under the new guidance this would move to either:
https://upload.pypi.org/_/oidc…https://upload.pypi.org/legacy/_/oidc…
Can you help clarify the intent of what upload_base would resolve to in its current form, and whether it would be a change for those already implemented TP on the current paths?
I’m not sure where the underscore came from, but PyPI has been using it for a while to manage machine-to-machine style integrations.
I appreciate the desire to have something more human-friendly, but maybe that was the original point? These aren’t for human (browser) consumption.
My preference is keep the PyPI URLs already implemented for consistency, over adding more URL handlers to support more renames, or managing the change through a deprecation cycle/brownout/etc. if there isn’t a clear benefit to the change.
RubyGems has implemented theirs at /api/v1/oidc/trusted_publisher/exchange_token, and npmjs has done theirs at /-/npm/v1/oidc/token/exchange/package/${escapedPackageName} - so is there actually a need for the URL/paths style be consistent?