PyPI now has taken 2FA (two-factor authentication) in production, which is a useful security measure I think. Also, Tidelift is able to measure which accounts have 2FA enabled.
I had a look at our PyPI account, and there were many owners of it. This isn't great from a security perspective. There are two roles on PyPI: maintainer, and owner. Maintainers can upload, owners can add other people and delete the whole account. The old PyPI added anyone as owner by default, that's why we had so many. I already did some cleanup, removing people who having uploaded a release in 8+ years and/or were never a NumPy maintainer.
I propose to clean this up a little further. We don't need more than 3-4 owners (for enough redundancy), converting the rest to maintainer or removing them would be better. Ideally everyone would also enable 2FA.
Given who now has access, I propose as owners Charles Harris, Matthew Brett and myself. The other people who have access are fairly unlikely to do another release in the near to medium future (or ever), except probably Matti. So I propose that I make them maintainers now, and then send them an email whether they want to keep access or not.
Does that sound okay?