Security & trust

Trust model.

The current registry trust model is concrete: GitHub-linked publisher identity, compiler version metadata on each package version, readable package source and output, and visible install activity as a directional signal.

01 · section

What users can trust today

A package page should tell you who published it, which compiler version produced it, whether source is included, when it was published, and how to install it.

GitHub-linked publisher identity
Compiler version per published package version
Readable source and generated Swift output
Install activity based on registry install requests
Repository and homepage links when publishers provide them

02 · section

What is not live yet

Do not treat the registry as if it already has a signature-backed verified publisher program. Signature-based provenance and richer publisher verification are future upgrades, not current production behavior.

related guides

Keep going

Signing & verification Namespace claim process Publish flow

Back to docs Compiler source