Hi folks, I've been CC'd into a bunch of discussion recently (example
<https://github.com/pypa/pip/issues/12250>) on whether PyPA projects should
add themselves to the PyPA organization on PyPI
<https://pypi.org/org/pypa/> and
wanted to start a thread to clear up any confusion and answer any questions.
*Why was the PyPA org created on PyPI?*
Mostly to provide an early example of a community organization on PyPI,
with the assumption that some PyPA projects may eventually want to move
their projects into the organization.
*Should projects move to the PyPA org on PyPI?*
This is entirely up to the maintainers of the project in question. Projects
should definitely not feel obligated to move to the organization.
*What's the benefit to moving to the PyPA org on PyPI?*Currently, the
primary benefit is that the project can further display its relationship to
the PyPA by having an organization listed on the project page on PyPI (
example <https://pypi.org/project/readme-renderer/>):
[image: image.png]
Additionally, the nature of the permissions model means that all PyPA
organization owners effectively will have the same permissions as a project
owner. This could be a benefit (e.g., an additional backstop if the project
were to become unmaintained or abandoned) or could be a downside (e.g.,
another owner means another potential point of compromise) -- I think both
are equally unlikely, though.
*Who are the PyPA organization owners?*
Currently just me and @Ee Durbin <ee(a)python.org>, although I have no
reservations about adding other owners of the GitHub organization (who are
currently me, ewdurbin, dstufft, jaraco, pfmoore, pradyunsg
and xavfernandez) to owners of the PyPI organization.
*What can owners do to a project in the organization?*
TL;DR, adding a project to an organization makes all organization owners
equivalent to project owners. Here's the matrix on organization roles:
[image: image.png]
Currently, this does not give Ee and I the ability to do anything we can't
already *effectively* do as PyPI administrators, and we'll continue to
exercise the same judgement/caution with our PyPI credentials as we always
do. Note that this *could* extend privileges that didn't previously exist
to new individuals if we add additional organization owners. If that were
to happen, I would expect them to act as responsibly as they already do
with their GitHub organization ownership.
*Could projects join the PyPA organization but keep the same list of people
with authority to do releases?*
Yes, the existing list of owners/maintainers does not change (with one
exception if the transferring user is both a project owner and an
organization owner <https://github.com/pypi/warehouse/issues/13558>).
*Is every member of the PyPA organization able to release any project
that's in the organization?*
No, project owner/maintainer permissions to publish remains at the
per-project level.
*I would like to add my project to the PyPA organization, what should I do?*
Email me directly or @mention me into an issue on your repository and we
will sort out the necessary steps.
If you have any additional questions, feel free to respond here and I'll be
happy to answer them.
