There are author-email and maintainer-email fields.

You could also or instead use a mailing list address for the author-email or maintainer-email fields. Newlines work (just like file\nnames)?

With a mailing list, package maintainers can share responsibility (*) and hand off correspondence without forwards and indentation.

Google Groups is free; are there alternatives:
https://support.google.com/groups/answer/2464926

You can use a third party service to create e.g. GitHub or GitLab issues via email; however, security sensitive information (vulnerabilities, credentials, personal information) may require additional caution and admonitions.

If not otherwise specified in the long description, presumably the author-email and/or maintainer-email address(es) are the correct place to send fair disclosure information.

This could be a separate thread/issue and an additional package metadata field maybe for Package Metadata 1.3? Sorry, a BIT OT.

security-email?

On Thursday, December 7, 2017, Barry Warsaw <barry@python.org> wrote:
I think I implicitly knew this, but as I've just released a package (to
be announced soon) that actually has multiple authors, I found out first
hand that PyPI rejects uploads where the author-email field isn't a
completely valid email address, and that there is no support for
multiple author emails.

As it turns out, you can kludge this into your pyproject.toml or
setup.py file.  flit for example separates multiple emails with a
newline, but you could also separate them with commas.  You don't notice
the problem until PyPI rejects the upload (with a 400 IIRC).

I filed this issue with flit: https://github.com/takluyver/flit/issues/153

It looks like Thomas agrees that at least flit will eventually validate
its fields so you error early.  It was a bit of a PITA to do my upload
because I didn't notice the problem until after I'd tagged the repo.

Multiple package authors doesn't seem like that fringe of a use case;
are there any plans, documents, PEPs, musings, grumbles about supporting
multiple package authors explicitly?

Cheers,
-Barry

_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig