Having had some time to think this over, I will attempt to explain what the current process is, and how I believe I should change it. It's worth noting that I'm the only person who handles support issues for PyPI (years ago Martin von Lowis also did this, and Donald Stufft has handled one or two cases over the years). There's various reasons for this, not the least of which is that direct ssh/database access is often required to investigate ownership issues.
When someone requests to take over a listing on PyPI, the process is:
* If the request comes in through some means other than the sf.net
support tracker, I require the requestor to make the request through that tracker so there is a record,
* I ask whether they have contact the current owner,
* I personally contact the owner through whatever means I have (sometimes this means using the address listed for the user in PyPI, sometimes that address is not valid so I use other means where possible),
* If contact is made, I ask the current owner to grant the requestor ownership if they feel it is appropriate,
* If contact is not made after one month, I add the requestor as an owner.
Between the support tracker and PyPI's audit log, all those actions are recorded.
However, in this instance, two things did not happen:
* I did not record that I had attempted to contact James in the tracker, and
* I did not use the listed contact address for James in my attempt to contact him, rather using the address I had in my personal address book.
I cannot definitively explain why I didn't do the first step. On the second count though, I can only claim laziness combined with my usually handling these requests in a bunch at 5pm or later after a work day (basically, when I can find a few moments to deal with the backlog). Actually, I think I might have been in an airport transit lounge in that particular instance. It was just easier to use the address I knew than to go through the hoops to find out the correct address to use. Not trying to excuse myself, just explain.
There's been some suggestions made:
* Publicly announcing the intention to make the change is a good one, though again finding an appropriate forum that enough people would actually read is tricky.
* Implement some sort of automated process. Given that we've struggled to produce Warehouse over *years* of development, I don't see this happening any time soon.
In light of this specific case, I have an additional change that I think I'll implement to attempt to prevent it again: In the instances where the current owner is unresponsive to my attempts to contact them, *and* the project has releases in the index, I will not transfer ownership. In the cases where no releases have been made I will continue to transfer ownership.
Your thoughts, as always, are welcome. Thanks to Danny for bringing the issue up, and to James and Alex for presenting their security concerns so clearly.