Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FR] Move to PyPA org on PyPI? #12250

Open
1 task done
webknjaz opened this issue Aug 29, 2023 · 10 comments
Open
1 task done

[FR] Move to PyPA org on PyPI? #12250

webknjaz opened this issue Aug 29, 2023 · 10 comments
Labels
S: needs triage Issues/PRs that need to be triaged type: feature request Request for a new feature type: maintenance Related to Development and Maintenance Processes

Comments

@webknjaz
Copy link
Member

webknjaz commented Aug 29, 2023

What's the problem this feature will solve?

PyPA projects consolidation and continued access to publishing to PyPI?

Describe the solution you'd like

With the orgs feature on PyPI, there's a PyPA org that exists already — https://pypi.org/org/pypa/. Why not make use of it?

Alternative Solutions

...not doing that?

Additional context

PyPI orgs allow for displaying related projects under the same umbrella. They also implement a more fine-grained RBAC.

UPD: Dustin explained the implications as an FAQ in the ML: https://mail.python.org/archives/list/pypa-committers@python.org/thread/E6MWIHEK3M232UILXGQFYPHGJHF7VYW7/.

Code of Conduct

@webknjaz webknjaz added type: maintenance Related to Development and Maintenance Processes type: feature request Request for a new feature S: needs triage Issues/PRs that need to be triaged labels Aug 29, 2023
@pfmoore
Copy link
Member

pfmoore commented Aug 29, 2023

You've posted the same issue on various projects. I suggest sorting out what is involved in moving projects, what the implications are, and how such a move would impact project governance somewhere central, otherwise we'll be having the same discussions over and over again, wasting people's time.

The pypa org on PyPI was, as far as I know, created by PyPI on the presumption that the PyPA projects would want it, but there's been no communication on how it would work for a loosely organised group of independently governed projects like the PyPA. Could projects join the org but keep the same list of people with authority to do releases, or would every member of the org be able to release any project that's in the org? While I don't expect anyone would abuse such a privilege, it does change the trust model for people who rely on (say) pip, if (for example) the pipenv maintainers now need to be trusted when evaluating the risks of using pip.

I'm -1 on moving any PyPA project to the pypa org until we understand how it affects project governance, security, and ownership questions.

There isn't a particularly good place for PyPA discussions like this - IMO it should be somewhat private (in other words, I do not think that the packaging category on Discourse is ideal), with only PyPA members able to comment but with the discussions available publicly for transparency. The only option I know of meeting those criteria is the PyPA mailing list.

@webknjaz
Copy link
Member Author

You're right, I realized this later on.
Regarding the ML, the PyPA one is also publicly readable FTR.

@pfmoore
Copy link
Member

pfmoore commented Aug 29, 2023

Regarding the ML, the PyPA one is also publicly readable FTR.

Yes, that's what I meant when I said it "meets those criteria".

@webknjaz
Copy link
Member Author

Oh, I misread and interpreted it as "it should be fully secret".

@pradyunsg
Copy link
Member

pradyunsg commented Aug 30, 2023

I've added a backlink from all the open issues to this one.

IMO it should be somewhat private (in other words, I do not think that the packaging category on Discourse is ideal), with only PyPA members able to comment but with the discussions available publicly for transparency.

Given that we don't really have this outside of the pypa-committers mailing list, let's do this on discuss.python.org?

@pradyunsg
Copy link
Member

until we understand how it affects project governance, security, and ownership questions.

@di has proactively moved specific projects over, so perhaps he's a good person to provide context on this...

@pfmoore
Copy link
Member

pfmoore commented Aug 30, 2023

Given that we don't really have this outside of the pypa-committers mailing list, let's do this on discuss.python.org?

My main reservation with discuss.python.org is that it is hard on there to know who is a PyPA member, and who is just an "interested bystander" voicing an opinion 🙁 As this is about PyPA governance, I do think that in this instance, the opinions of PyPA members specifically are what matters.

@di
Copy link
Member

di commented Aug 30, 2023

I've sent an email to the pypa-committers@ mailing list to discuss this.

@webknjaz
Copy link
Member Author

webknjaz commented Sep 6, 2023

Since the ML is public, I'm posting the direct link to that email here: https://mail.python.org/archives/list/pypa-committers@python.org/thread/E6MWIHEK3M232UILXGQFYPHGJHF7VYW7/.

@pfmoore ^

@pfmoore
Copy link
Member

pfmoore commented Sep 6, 2023

Thanks. I saw it. I don’t personally think it’s worth it. There’s no real benefit that I can see.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
S: needs triage Issues/PRs that need to be triaged type: feature request Request for a new feature type: maintenance Related to Development and Maintenance Processes
Projects
None yet
Development

No branches or pull requests

4 participants
  NODES
COMMUNITY 2
Idea 2
idea 2
Project 19
USERS 1