Create proposal for PyPI organization #95
Comments
|
seems like a good idea. I went ahead and requested an |
|
Once the new org is approved, we should moving all of our libs to the new org: https://pypi.org/search/?q=instructlab Current owners are: |
|
It has been pointed out that it may be better to create a user owned by the @instructlab/oversight-committee to be the package owner |
|
I've had some conversations with pypi about this as a "whole," and organizations are still in "progress" and will only be available to the sponsoring organizations any time soon. Unless our project can start sponsoring the PSP and pypi, this should be either completely back burner'd or closed as can't be done. |
|
So shouldn't we go the user route I've suggested then @jjasghar? Otherwise all these packages will just be owned by a smattering of Red Hat and IBM engineers We can create a user just called |
|
Yep, that seems like the best path forward. |
Ooooh, a 1password vault :-) |
No, shared accounts are a bad idea. Don't do this. You want to be able to audit account activity and remove access of a person in case they leave the project or their work machine gets compromised. |
What we have now is bad. So what do you propose? |
|
Use individual, personal accounts in combination with strong 2FA (FIDO). Select a few people (3-4) to be project owners. InstructLab is using trusted publishing for releases anyway. Project admin access is only needed to yank a bad release or to add/remove another maintainer. You could make an argument that people should create a new work account with their work email address and not use their personal PyPI account. I don't think that's necessary. |
Now that we are publishing several PyPI packages we should officially propose creating a PyPI org to own them all: https://pypi.org/manage/organizations/
cc @tiran @russellb curious y'alls thoughts
The text was updated successfully, but these errors were encountered: