PyPI now has taken 2FA (two-factor authentication) in production, which is
a useful security measure I think. Also, Tidelift is able to measure which
accounts have 2FA enabled.
I had a look at our PyPI account, and there were many owners of it. This
isn't great from a security perspective. There are two roles on PyPI:
maintainer, and owner. Maintainers can upload, owners can add other people
and delete the whole account. The old PyPI added anyone as owner by
default, that's why we had so many. I already did some cleanup, removing
people who having uploaded a release in 8+ years and/or were never a NumPy
I propose to clean this up a little further. We don't need more than 3-4
owners (for enough redundancy), converting the rest to maintainer or
removing them would be better. Ideally everyone would also enable 2FA.
Given who now has access, I propose as owners Charles Harris, Matthew Brett
and myself. The other people who have access are fairly unlikely to do
another release in the near to medium future (or ever), except probably
Matti. So I propose that I make them maintainers now, and then send them an
email whether they want to keep access or not.
Does that sound okay?