On Fri, Sep 19, 2014 at 4:55 PM, Richard Jones firstname.lastname@example.org wrote:
This is done at present, using the contact details registered with pypi. Or other contact methods if that fails. I always default to asking the current maintainer of a package to transfer it to a new maintainer.
Could you clarify when and how you attempted that contact in this case? At the email address on file for me at PyPI, I have received one email from you regarding PyPI, and it was the automated message regarding the Python wiki password breach.
Additionally, the requesting party had contacted me, and we had a brief but inconclusive discussion regarding whether it would be a good idea for the package to be resurrected under a new maintainer.
The fact that I literally woke up from a nap to find someone else had been assigned as an owner of one of my packages -- even one I've publicly stepped down as maintainer of -- without any notice to me that I can find from the PyPI side (I found out from seeing my name mentioned on Twitter, then saw this email thread), has placed me in a position where my faith in PyPI's security is now exactly zero, and I'm forced to consider whether I want to continue hosting packages there.
For now I have removed user 'macropin' from django-registration on PyPI. Do not make any further changes to the package's records/roles/etc. on PyPI unless I request it of you, via GPG-signed mail (my key is available quite publicly courtesy of Django releases).