VOTE: adding pypi-publish to PyPA on GitLab
Hi PyPA committers, I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub): https://gitlab.com/trailofbits/pypi-publish For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub. If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab). Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here: https://gitlab.com/python-software-foundation https://gitlab.com/python-software-foundation/pypa Best, William Woodruff
+1
On May 21, 2025, at 11:32 AM, William Woodruff <william@yossarian.net> wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: ewdurbin@gmail.com
+1 On 2025-05-21 16:29, Ee Durbin via PyPA-Committers wrote:
+1
On May 21, 2025, at 11:32 AM, William Woodruff <william@yossarian.net> wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: ewdurbin@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: jmbowman@portabase.org
A qualified +1 from me. Would it be possible to transfer to the *github* PyPA organisation? Because that would work better with our existing infrastructure. If we do want a gitlab organisation, how will that work? I don't have a gitlab account, for example, and I don't particularly want to get one. I don't know about other PyPA members, but I suspect that most work solely on github. So it's not clear to me how the gitlab org will actually represent the PyPA in any real sense. My +1 is because I don't want to see pypi-publish get dragged into PyPA admin issues, but if we do want to start hosting PyPA projects on gitlab, I think we need to have a separate discussion on what that would actually mean in a practical sense. Paul On Wed, 21 May 2025 at 16:32, William Woodruff <william@yossarian.net> wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: p.f.moore@gmail.com
Hey Paul, Thanks for raising that. I should have elaborated in the original message: GitLab's "components" feature works a lot like GitHub Actions, where the "component" (pypi-publish) needs to exist on the GitLab server itself. As a result of that, pypi-publish more or less needs to exist on a GitLab instance, with the question then becoming whether it should exist under an official PyPA namespace or not (mirroring gh-action-pypi-publish). All things being equal, I agree with you -- it's not ideal to have both. But unfortunately neither (GitHub or GitLab) plays nicely with the other in terms of reusing actions/components across servers. (Or TL;DR: I agree that the GitLab org would not represent the PyPA in any real sense; this would be purely a namespacing move for a PyPA-worthy - IMO - project that can't be put on GitHub.) Best, William On Wed, May 21, 2025 at 6:01 PM Paul Moore <p.f.moore@gmail.com> wrote:
A qualified +1 from me.
Would it be possible to transfer to the *github* PyPA organisation? Because that would work better with our existing infrastructure. If we do want a gitlab organisation, how will that work? I don't have a gitlab account, for example, and I don't particularly want to get one. I don't know about other PyPA members, but I suspect that most work solely on github. So it's not clear to me how the gitlab org will actually represent the PyPA in any real sense.
My +1 is because I don't want to see pypi-publish get dragged into PyPA admin issues, but if we do want to start hosting PyPA projects on gitlab, I think we need to have a separate discussion on what that would actually mean in a practical sense.
Paul
On Wed, 21 May 2025 at 16:32, William Woodruff <william@yossarian.net> wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: p.f.moore@gmail.com
+1 On Wed, May 21, 2025, 19:52 William Woodruff <william@yossarian.net> wrote:
Hey Paul,
Thanks for raising that. I should have elaborated in the original message: GitLab's "components" feature works a lot like GitHub Actions, where the "component" (pypi-publish) needs to exist on the GitLab server itself.
As a result of that, pypi-publish more or less needs to exist on a GitLab instance, with the question then becoming whether it should exist under an official PyPA namespace or not (mirroring gh-action-pypi-publish).
All things being equal, I agree with you -- it's not ideal to have both. But unfortunately neither (GitHub or GitLab) plays nicely with the other in terms of reusing actions/components across servers.
(Or TL;DR: I agree that the GitLab org would not represent the PyPA in any real sense; this would be purely a namespacing move for a PyPA-worthy - IMO - project that can't be put on GitHub.)
Best, William
On Wed, May 21, 2025 at 6:01 PM Paul Moore <p.f.moore@gmail.com> wrote:
A qualified +1 from me.
Would it be possible to transfer to the *github* PyPA organisation?
Because that would work better with our existing infrastructure. If we do want a gitlab organisation, how will that work? I don't have a gitlab account, for example, and I don't particularly want to get one. I don't know about other PyPA members, but I suspect that most work solely on github. So it's not clear to me how the gitlab org will actually represent the PyPA in any real sense.
My +1 is because I don't want to see pypi-publish get dragged into PyPA
admin issues, but if we do want to start hosting PyPA projects on gitlab, I think we need to have a separate discussion on what that would actually mean in a practical sense.
Paul
On Wed, 21 May 2025 at 16:32, William Woodruff <william@yossarian.net>
wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: p.f.moore@gmail.com
PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: gaborjbernat@gmail.com
+1 On Wed, May 21, 2025 at 11:02 PM Bernat Gabor via PyPA-Committers < pypa-committers@python.org> wrote:
+1
On Wed, May 21, 2025, 19:52 William Woodruff <william@yossarian.net> wrote:
Hey Paul,
Thanks for raising that. I should have elaborated in the original message: GitLab's "components" feature works a lot like GitHub Actions, where the "component" (pypi-publish) needs to exist on the GitLab server itself.
As a result of that, pypi-publish more or less needs to exist on a GitLab instance, with the question then becoming whether it should exist under an official PyPA namespace or not (mirroring gh-action-pypi-publish).
All things being equal, I agree with you -- it's not ideal to have both. But unfortunately neither (GitHub or GitLab) plays nicely with the other in terms of reusing actions/components across servers.
(Or TL;DR: I agree that the GitLab org would not represent the PyPA in any real sense; this would be purely a namespacing move for a PyPA-worthy - IMO - project that can't be put on GitHub.)
Best, William
On Wed, May 21, 2025 at 6:01 PM Paul Moore <p.f.moore@gmail.com> wrote:
A qualified +1 from me.
Would it be possible to transfer to the *github* PyPA organisation?
Because that would work better with our existing infrastructure. If we do want a gitlab organisation, how will that work? I don't have a gitlab account, for example, and I don't particularly want to get one. I don't know about other PyPA members, but I suspect that most work solely on github. So it's not clear to me how the gitlab org will actually represent the PyPA in any real sense.
My +1 is because I don't want to see pypi-publish get dragged into PyPA
admin issues, but if we do want to start hosting PyPA projects on gitlab, I think we need to have a separate discussion on what that would actually mean in a practical sense.
Paul
On Wed, 21 May 2025 at 16:32, William Woodruff <william@yossarian.net>
wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: p.f.moore@gmail.com
PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: gaborjbernat@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: miketheman@gmail.com
+1 I'm happy to aid in administering a PyPA org in Gitlab if that helps. On Wed, May 21, 2025 at 7:52 PM, William Woodruff <william@yossarian.net<mailto:william@yossarian.net>> wrote: Hey Paul, Thanks for raising that. I should have elaborated in the original message: GitLab's "components" feature works a lot like GitHub Actions, where the "component" (pypi-publish) needs to exist on the GitLab server itself. As a result of that, pypi-publish more or less needs to exist on a GitLab instance, with the question then becoming whether it should exist under an official PyPA namespace or not (mirroring gh-action-pypi-publish). All things being equal, I agree with you -- it's not ideal to have both. But unfortunately neither (GitHub or GitLab) plays nicely with the other in terms of reusing actions/components across servers. (Or TL;DR: I agree that the GitLab org would not represent the PyPA in any real sense; this would be purely a namespacing move for a PyPA-worthy - IMO - project that can't be put on GitHub.) Best, William On Wed, May 21, 2025 at 6:01 PM Paul Moore <p.f.moore@gmail.com<mailto:p.f.moore@gmail.com>> wrote: A qualified +1 from me. Would it be possible to transfer to the *github* PyPA organisation? Because that would work better with our existing infrastructure. If we do want a gitlab organisation, how will that work? I don't have a gitlab account, for example, and I don't particularly want to get one. I don't know about other PyPA members, but I suspect that most work solely on github. So it's not clear to me how the gitlab org will actually represent the PyPA in any real sense. My +1 is because I don't want to see pypi-publish get dragged into PyPA admin issues, but if we do want to start hosting PyPA projects on gitlab, I think we need to have a separate discussion on what that would actually mean in a practical sense. Paul On Wed, 21 May 2025 at 16:32, William Woodruff <william@yossarian.net<mailto:william@yossarian.net>> wrote: Hi PyPA committers, I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub): https://gitlab.com/trailofbits/pypi-publish For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub. If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab). Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa<http://gitlab.com/pypa> released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here: https://gitlab.com/python-software-foundation https://gitlab.com/python-software-foundation/pypa Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org<mailto:pypa-committers@python.org> To unsubscribe send an email to pypa-committers-leave@python.org<mailto:pypa-committers-leave@python.org> https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: p.f.moore@gmail.com<mailto:p.f.moore@gmail.com> _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org<mailto:pypa-committers@python.org> To unsubscribe send an email to pypa-committers-leave@python.org<mailto:pypa-committers-leave@python.org> https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: jaraco@jaraco.com<mailto:jaraco@jaraco.com>
+1
On 21. May 2025, at 17:32, William Woodruff <william@yossarian.net> wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: jannis.leidel@pyfound.org
+1 On Wed, 21 May 2025, at 17:32, William Woodruff wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: thomas@kluyver.me.uk
+1 On Sun, May 25, 2025 at 09:51 Thomas Kluyver <thomas@kluyver.me.uk> wrote:
+1
On Wed, 21 May 2025, at 17:32, William Woodruff wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: thomas@kluyver.me.uk
PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: bussonniermatthias@gmail.com
+1 However, to discuss administrative matters further, the Python Software Foundation GitLab organisation(?) would not be recognized as a PyPA organisation as defined in PEP 609 <https://peps.python.org/pep-0609/>. Thus, the admission of pypi-publish to the PyPA GitLab organisation would not automatically confer PyPA membership (or committership) to the project members. This would be relevant to Facundo Tuesca who is not a PyPA member yet AFAICT. Practically, this is merely a wrinkle and I'd be totally fine with treating pypi-publish as a de facto PyPA project with the full privileges and responsibilities of membership. It's just worth remembering that this is technically not covered by the current PyPA governance structure.[^1] *Richard Si *(he/him) GitHub: @ichard26 [^1]: It's not like we are going to update the PyPA governance policy to handle this edge case since it's all going to change if/once the proposed Python packaging governance PEP is accepted. On Wed, 21 May 2025 at 11:32, William Woodruff <william@yossarian.net> wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: sichard26@gmail.com
I don't agree. I understand that the PEP has a terminology definition that links only to the GitHub organization but I view that as documenting the state at the time of authorship not a requirement that projects only exist on GitHub. I could see folks preferring to have a project on Codeberg instead and move it to the PyPA without moving to GitHub or GitLab. Nothing forbids those becoming official PyPA organizations conferring membership. If anything, I think we should start squatting those names to prevent confusion and impersonation. Sent from my phone with my typo-happy thumbs. Please excuse my brevity On Mon, Jun 2, 2025, 16:38 Richard Si via PyPA-Committers < pypa-committers@python.org> wrote:
+1
However, to discuss administrative matters further, the Python Software Foundation GitLab organisation(?) would not be recognized as a PyPA organisation as defined in PEP 609 <https://peps.python.org/pep-0609/>. Thus, the admission of pypi-publish to the PyPA GitLab organisation would not automatically confer PyPA membership (or committership) to the project members. This would be relevant to Facundo Tuesca who is not a PyPA member yet AFAICT.
Practically, this is merely a wrinkle and I'd be totally fine with treating pypi-publish as a de facto PyPA project with the full privileges and responsibilities of membership. It's just worth remembering that this is technically not covered by the current PyPA governance structure.[^1]
*Richard Si *(he/him) GitHub: @ichard26
[^1]: It's not like we are going to update the PyPA governance policy to handle this edge case since it's all going to change if/once the proposed Python packaging governance PEP is accepted.
On Wed, 21 May 2025 at 11:32, William Woodruff <william@yossarian.net> wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: sichard26@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: graffatcolmingov@gmail.com
+1 on having the org on GL and having this project in. It is de-facto mandatory to have this repository in there, as it's a building block in a tightly coupled ecosystem. As for squatting namespaces on known platforms, I think it's a good idea. Specifically, for cases like this where a project is required to exist on a non-GH platform due to factors that aren't really up to humans. I imagine this project would be linked from the official PyPI docs and so it's useful to recognize it as PyPA-official, even if the org isn't (yet?). I'd also link it from my GitHub Action and from PyPUG. P.S. Also, responding to Paul's message about not having an account. It's probably fine, but it'd recommend people to squat their own usernames for a similar reason (impersonation risks). Logging in is possible via SSO (through the `Login via GitHub` button), which makes it low-maintenance (plus, it's possible to add 2FA on top of that). On Tue, Jun 3, 2025 at 12:20 AM Ian Stapleton Cordasco via PyPA-Committers <pypa-committers@python.org> wrote:
I don't agree. I understand that the PEP has a terminology definition that links only to the GitHub organization but I view that as documenting the state at the time of authorship not a requirement that projects only exist on GitHub. I could see folks preferring to have a project on Codeberg instead and move it to the PyPA without moving to GitHub or GitLab.
Nothing forbids those becoming official PyPA organizations conferring membership. If anything, I think we should start squatting those names to prevent confusion and impersonation.
Sent from my phone with my typo-happy thumbs. Please excuse my brevity
On Mon, Jun 2, 2025, 16:38 Richard Si via PyPA-Committers <pypa-committers@python.org> wrote:
+1
However, to discuss administrative matters further, the Python Software Foundation GitLab organisation(?) would not be recognized as a PyPA organisation as defined in PEP 609. Thus, the admission of pypi-publish to the PyPA GitLab organisation would not automatically confer PyPA membership (or committership) to the project members. This would be relevant to Facundo Tuesca who is not a PyPA member yet AFAICT.
Practically, this is merely a wrinkle and I'd be totally fine with treating pypi-publish as a de facto PyPA project with the full privileges and responsibilities of membership. It's just worth remembering that this is technically not covered by the current PyPA governance structure.[^1]
Richard Si (he/him) GitHub: @ichard26
[^1]: It's not like we are going to update the PyPA governance policy to handle this edge case since it's all going to change if/once the proposed Python packaging governance PEP is accepted.
On Wed, 21 May 2025 at 11:32, William Woodruff <william@yossarian.net> wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: sichard26@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: graffatcolmingov@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: webknjaz@redhat.com
-- Warm regards, Sviatoslav Sydorenko
Hey all, I concur with Ian and Sviatoslav on the administrative/procedural question: my interpretation of PEP 609's language is that it wasn't intended to confer exclusivity upon GitHub as the sole organizational host of the PyPA, but that GitHub was the de facto sole organizational host in 2019 and therefore was used to define membership as a matter of convenience. However, maybe Dustin, Sumana, or Pradyun could clarify the intent there? Procedurally speaking however, maybe there's a simpler solution here? It occurs to me that github.com/pypa could have a "members" or similar repository that all members would be given the triage bit on, regardless of whether the PyPA project in question was in the GitHub organization or another official PyPA namespace on another service. That would satisfy the terminological question of membership without having to modify the PEP (which I agree would not be a good use of time given the larger governance proposal). Separately, I realized that I made a different procedural error: I forgot (again) to ask another PyPA member to second the proposal before opening the vote. If someone would like to second the proposal retroactively I would appreciate it, otherwise I can re-start the vote. Best, William Woodruff On Tue, Jun 3, 2025 at 9:16 AM Sviatoslav Sydorenko via PyPA-Committers <pypa-committers@python.org> wrote:
+1 on having the org on GL and having this project in. It is de-facto mandatory to have this repository in there, as it's a building block in a tightly coupled ecosystem.
As for squatting namespaces on known platforms, I think it's a good idea. Specifically, for cases like this where a project is required to exist on a non-GH platform due to factors that aren't really up to humans.
I imagine this project would be linked from the official PyPI docs and so it's useful to recognize it as PyPA-official, even if the org isn't (yet?). I'd also link it from my GitHub Action and from PyPUG.
P.S. Also, responding to Paul's message about not having an account. It's probably fine, but it'd recommend people to squat their own usernames for a similar reason (impersonation risks). Logging in is possible via SSO (through the `Login via GitHub` button), which makes it low-maintenance (plus, it's possible to add 2FA on top of that).
On Tue, Jun 3, 2025 at 12:20 AM Ian Stapleton Cordasco via PyPA-Committers <pypa-committers@python.org> wrote:
I don't agree. I understand that the PEP has a terminology definition that links only to the GitHub organization but I view that as documenting the state at the time of authorship not a requirement that projects only exist on GitHub. I could see folks preferring to have a project on Codeberg instead and move it to the PyPA without moving to GitHub or GitLab.
Nothing forbids those becoming official PyPA organizations conferring membership. If anything, I think we should start squatting those names to prevent confusion and impersonation.
Sent from my phone with my typo-happy thumbs. Please excuse my brevity
On Mon, Jun 2, 2025, 16:38 Richard Si via PyPA-Committers <pypa-committers@python.org> wrote:
+1
However, to discuss administrative matters further, the Python Software Foundation GitLab organisation(?) would not be recognized as a PyPA organisation as defined in PEP 609. Thus, the admission of pypi-publish to the PyPA GitLab organisation would not automatically confer PyPA membership (or committership) to the project members. This would be relevant to Facundo Tuesca who is not a PyPA member yet AFAICT.
Practically, this is merely a wrinkle and I'd be totally fine with treating pypi-publish as a de facto PyPA project with the full privileges and responsibilities of membership. It's just worth remembering that this is technically not covered by the current PyPA governance structure.[^1]
Richard Si (he/him) GitHub: @ichard26
[^1]: It's not like we are going to update the PyPA governance policy to handle this edge case since it's all going to change if/once the proposed Python packaging governance PEP is accepted.
On Wed, 21 May 2025 at 11:32, William Woodruff <william@yossarian.net> wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: sichard26@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: graffatcolmingov@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: webknjaz@redhat.com
-- Warm regards, Sviatoslav Sydorenko
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: william@yossarian.net
Seconded. On Tue, Jun 3, 2025 at 8:45 PM William Woodruff <william@yossarian.net> wrote:
Hey all,
I concur with Ian and Sviatoslav on the administrative/procedural question: my interpretation of PEP 609's language is that it wasn't intended to confer exclusivity upon GitHub as the sole organizational host of the PyPA, but that GitHub was the de facto sole organizational host in 2019 and therefore was used to define membership as a matter of convenience. However, maybe Dustin, Sumana, or Pradyun could clarify the intent there?
Procedurally speaking however, maybe there's a simpler solution here? It occurs to me that github.com/pypa could have a "members" or similar repository that all members would be given the triage bit on, regardless of whether the PyPA project in question was in the GitHub organization or another official PyPA namespace on another service. That would satisfy the terminological question of membership without having to modify the PEP (which I agree would not be a good use of time given the larger governance proposal).
Separately, I realized that I made a different procedural error: I forgot (again) to ask another PyPA member to second the proposal before opening the vote. If someone would like to second the proposal retroactively I would appreciate it, otherwise I can re-start the vote.
Best, William Woodruff
On Tue, Jun 3, 2025 at 9:16 AM Sviatoslav Sydorenko via PyPA-Committers <pypa-committers@python.org> wrote:
+1 on having the org on GL and having this project in. It is de-facto mandatory to have this repository in there, as it's a building block in a tightly coupled ecosystem.
As for squatting namespaces on known platforms, I think it's a good idea. Specifically, for cases like this where a project is required to exist on a non-GH platform due to factors that aren't really up to humans.
I imagine this project would be linked from the official PyPI docs and so it's useful to recognize it as PyPA-official, even if the org isn't (yet?). I'd also link it from my GitHub Action and from PyPUG.
P.S. Also, responding to Paul's message about not having an account. It's probably fine, but it'd recommend people to squat their own usernames for a similar reason (impersonation risks). Logging in is possible via SSO (through the `Login via GitHub` button), which makes it low-maintenance (plus, it's possible to add 2FA on top of that).
On Tue, Jun 3, 2025 at 12:20 AM Ian Stapleton Cordasco via PyPA-Committers <pypa-committers@python.org> wrote:
I don't agree. I understand that the PEP has a terminology definition that links only to the GitHub organization but I view that as documenting the state at the time of authorship not a requirement that projects only exist on GitHub. I could see folks preferring to have a project on Codeberg instead and move it to the PyPA without moving to GitHub or GitLab.
Nothing forbids those becoming official PyPA organizations conferring membership. If anything, I think we should start squatting those names to prevent confusion and impersonation.
Sent from my phone with my typo-happy thumbs. Please excuse my brevity
On Mon, Jun 2, 2025, 16:38 Richard Si via PyPA-Committers <pypa-committers@python.org> wrote:
+1
However, to discuss administrative matters further, the Python Software Foundation GitLab organisation(?) would not be recognized as a PyPA organisation as defined in PEP 609. Thus, the admission of pypi-publish to the PyPA GitLab organisation would not automatically confer PyPA membership (or committership) to the project members. This would be relevant to Facundo Tuesca who is not a PyPA member yet AFAICT.
Practically, this is merely a wrinkle and I'd be totally fine with treating pypi-publish as a de facto PyPA project with the full privileges and responsibilities of membership. It's just worth remembering that this is technically not covered by the current PyPA governance structure.[^1]
Richard Si (he/him) GitHub: @ichard26
[^1]: It's not like we are going to update the PyPA governance policy to handle this edge case since it's all going to change if/once the proposed Python packaging governance PEP is accepted.
On Wed, 21 May 2025 at 11:32, William Woodruff <william@yossarian.net> wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: sichard26@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: graffatcolmingov@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: webknjaz@redhat.com
-- Warm regards, Sviatoslav Sydorenko
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: william@yossarian.net
-- Warm regards, Sviatoslav Sydorenko Software Hacker @ Ansible Core --- https://useplaintext.email/ () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments ---
Alrighty, I regret digging into the administrative details of the GitLab PyPA organisation. I'd really rather not make anyone do any more work than necessary--including creating a members project--to satisfy the textual requirements of PyPA governance. I simply wanted to flag it for the record. I don't want to derail the vote, so to keep things simple, we can pretend that I didn't bring this up. My bad. *Richard Si *(he/him) GitHub: @ichard26 On Tue, 3 Jun 2025 at 14:45, William Woodruff <william@yossarian.net> wrote:
Hey all,
I concur with Ian and Sviatoslav on the administrative/procedural question: my interpretation of PEP 609's language is that it wasn't intended to confer exclusivity upon GitHub as the sole organizational host of the PyPA, but that GitHub was the de facto sole organizational host in 2019 and therefore was used to define membership as a matter of convenience. However, maybe Dustin, Sumana, or Pradyun could clarify the intent there?
Procedurally speaking however, maybe there's a simpler solution here? It occurs to me that github.com/pypa could have a "members" or similar repository that all members would be given the triage bit on, regardless of whether the PyPA project in question was in the GitHub organization or another official PyPA namespace on another service. That would satisfy the terminological question of membership without having to modify the PEP (which I agree would not be a good use of time given the larger governance proposal).
Separately, I realized that I made a different procedural error: I forgot (again) to ask another PyPA member to second the proposal before opening the vote. If someone would like to second the proposal retroactively I would appreciate it, otherwise I can re-start the vote.
Best, William Woodruff
On Tue, Jun 3, 2025 at 9:16 AM Sviatoslav Sydorenko via PyPA-Committers <pypa-committers@python.org> wrote:
+1 on having the org on GL and having this project in. It is de-facto mandatory to have this repository in there, as it's a building block in a tightly coupled ecosystem.
As for squatting namespaces on known platforms, I think it's a good idea. Specifically, for cases like this where a project is required to exist on a non-GH platform due to factors that aren't really up to humans.
I imagine this project would be linked from the official PyPI docs and so it's useful to recognize it as PyPA-official, even if the org isn't (yet?). I'd also link it from my GitHub Action and from PyPUG.
P.S. Also, responding to Paul's message about not having an account. It's probably fine, but it'd recommend people to squat their own usernames for a similar reason (impersonation risks). Logging in is possible via SSO (through the `Login via GitHub` button), which makes it low-maintenance (plus, it's possible to add 2FA on top of that).
On Tue, Jun 3, 2025 at 12:20 AM Ian Stapleton Cordasco via PyPA-Committers <pypa-committers@python.org> wrote:
I don't agree. I understand that the PEP has a terminology definition
Nothing forbids those becoming official PyPA organizations conferring
membership. If anything, I think we should start squatting those names to
Sent from my phone with my typo-happy thumbs. Please excuse my brevity
On Mon, Jun 2, 2025, 16:38 Richard Si via PyPA-Committers <
+1
However, to discuss administrative matters further, the Python
Software Foundation GitLab organisation(?) would not be recognized as a PyPA organisation as defined in PEP 609. Thus, the admission of
Practically, this is merely a wrinkle and I'd be totally fine with
Richard Si (he/him) GitHub: @ichard26
[^1]: It's not like we are going to update the PyPA governance policy
to handle this edge case since it's all going to change if/once the
that links only to the GitHub organization but I view that as documenting the state at the time of authorship not a requirement that projects only exist on GitHub. I could see folks preferring to have a project on Codeberg instead and move it to the PyPA without moving to GitHub or GitLab. prevent confusion and impersonation. pypa-committers@python.org> wrote: pypi-publish to the PyPA GitLab organisation would not automatically confer PyPA membership (or committership) to the project members. This would be relevant to Facundo Tuesca who is not a PyPA member yet AFAICT. treating pypi-publish as a de facto PyPA project with the full privileges and responsibilities of membership. It's just worth remembering that this is technically not covered by the current PyPA governance structure.[^1] proposed Python packaging governance PEP is accepted.
On Wed, 21 May 2025 at 11:32, William Woodruff <william@yossarian.net>
wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: sichard26@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: graffatcolmingov@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: webknjaz@redhat.com
-- Warm regards, Sviatoslav Sydorenko
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: william@yossarian.net
Hey all, It's been ~2 weeks since the last voting activity here, so I believe the vote has concluded and passes. @Ee Durbin let me know how you'd like to coordinate things here! Best, William On Tue, Jun 3, 2025 at 8:58 PM Richard Si <sichard26@gmail.com> wrote:
Alrighty,
I regret digging into the administrative details of the GitLab PyPA organisation. I'd really rather not make anyone do any more work than necessary--including creating a members project--to satisfy the textual requirements of PyPA governance. I simply wanted to flag it for the record.
I don't want to derail the vote, so to keep things simple, we can pretend that I didn't bring this up. My bad.
Richard Si (he/him) GitHub: @ichard26
On Tue, 3 Jun 2025 at 14:45, William Woodruff <william@yossarian.net> wrote:
Hey all,
I concur with Ian and Sviatoslav on the administrative/procedural question: my interpretation of PEP 609's language is that it wasn't intended to confer exclusivity upon GitHub as the sole organizational host of the PyPA, but that GitHub was the de facto sole organizational host in 2019 and therefore was used to define membership as a matter of convenience. However, maybe Dustin, Sumana, or Pradyun could clarify the intent there?
Procedurally speaking however, maybe there's a simpler solution here? It occurs to me that github.com/pypa could have a "members" or similar repository that all members would be given the triage bit on, regardless of whether the PyPA project in question was in the GitHub organization or another official PyPA namespace on another service. That would satisfy the terminological question of membership without having to modify the PEP (which I agree would not be a good use of time given the larger governance proposal).
Separately, I realized that I made a different procedural error: I forgot (again) to ask another PyPA member to second the proposal before opening the vote. If someone would like to second the proposal retroactively I would appreciate it, otherwise I can re-start the vote.
Best, William Woodruff
On Tue, Jun 3, 2025 at 9:16 AM Sviatoslav Sydorenko via PyPA-Committers <pypa-committers@python.org> wrote:
+1 on having the org on GL and having this project in. It is de-facto mandatory to have this repository in there, as it's a building block in a tightly coupled ecosystem.
As for squatting namespaces on known platforms, I think it's a good idea. Specifically, for cases like this where a project is required to exist on a non-GH platform due to factors that aren't really up to humans.
I imagine this project would be linked from the official PyPI docs and so it's useful to recognize it as PyPA-official, even if the org isn't (yet?). I'd also link it from my GitHub Action and from PyPUG.
P.S. Also, responding to Paul's message about not having an account. It's probably fine, but it'd recommend people to squat their own usernames for a similar reason (impersonation risks). Logging in is possible via SSO (through the `Login via GitHub` button), which makes it low-maintenance (plus, it's possible to add 2FA on top of that).
On Tue, Jun 3, 2025 at 12:20 AM Ian Stapleton Cordasco via PyPA-Committers <pypa-committers@python.org> wrote:
I don't agree. I understand that the PEP has a terminology definition that links only to the GitHub organization but I view that as documenting the state at the time of authorship not a requirement that projects only exist on GitHub. I could see folks preferring to have a project on Codeberg instead and move it to the PyPA without moving to GitHub or GitLab.
Nothing forbids those becoming official PyPA organizations conferring membership. If anything, I think we should start squatting those names to prevent confusion and impersonation.
Sent from my phone with my typo-happy thumbs. Please excuse my brevity
On Mon, Jun 2, 2025, 16:38 Richard Si via PyPA-Committers <pypa-committers@python.org> wrote:
+1
However, to discuss administrative matters further, the Python Software Foundation GitLab organisation(?) would not be recognized as a PyPA organisation as defined in PEP 609. Thus, the admission of pypi-publish to the PyPA GitLab organisation would not automatically confer PyPA membership (or committership) to the project members. This would be relevant to Facundo Tuesca who is not a PyPA member yet AFAICT.
Practically, this is merely a wrinkle and I'd be totally fine with treating pypi-publish as a de facto PyPA project with the full privileges and responsibilities of membership. It's just worth remembering that this is technically not covered by the current PyPA governance structure.[^1]
Richard Si (he/him) GitHub: @ichard26
[^1]: It's not like we are going to update the PyPA governance policy to handle this edge case since it's all going to change if/once the proposed Python packaging governance PEP is accepted.
On Wed, 21 May 2025 at 11:32, William Woodruff <william@yossarian.net> wrote:
Hi PyPA committers,
I'd like to open a vote on transferring pypi-publish to the PyPA GitLab org (*not* GitHub):
https://gitlab.com/trailofbits/pypi-publish
For a bit of context: pypi-publish is a GitLab "component", which is roughly analogous to a GitHub Action. Trail of Bits has created this component as a way to streamline GitLab usage of Trusted Publishing and attestations, similar to how pypa/gh-action-pypi-publish has streamlined usage of both on GitHub.
If accepted, I would be a primary maintainer on pypi-publish, along with my co-maintainer and colleague Facundo Tuesca (@facutuesca on both GitHub and GitLab).
Separately, the astute observer will note that PyPA doesn't have an official GitLab org yet. Ee is currently working on having gitlab.com/pypa released to the PyPA, but in the meantime there's a "holding pattern" organization with a subgroup for PyPA here:
https://gitlab.com/python-software-foundation
https://gitlab.com/python-software-foundation/pypa
Best, William Woodruff _______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: sichard26@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: graffatcolmingov@gmail.com
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: webknjaz@redhat.com
-- Warm regards, Sviatoslav Sydorenko
_______________________________________________ PyPA-Committers mailing list -- pypa-committers@python.org To unsubscribe send an email to pypa-committers-leave@python.org https://mail.python.org/mailman3//lists/pypa-committers.python.org Member address: william@yossarian.net
Hey Ee, On Wed, Jun 18, 2025 at 7:30 PM William Woodruff <william@yossarian.net> wrote:
It's been ~2 weeks since the last voting activity here, so I believe the vote has concluded and passes.
@Ee Durbin let me know how you'd like to coordinate things here!
Is this still on your radar? -- Warm regards, Sviatoslav Sydorenko
On Wed, Sep 3, 2025 at 6:51 PM Sviatoslav Sydorenko <webknjaz@redhat.com> wrote:
On Wed, Jun 18, 2025 at 7:30 PM William Woodruff <william@yossarian.net> wrote:
It's been ~2 weeks since the last voting activity here, so I believe the vote has concluded and passes.
@Ee Durbin let me know how you'd like to coordinate things here!
Is this still on your radar?
FTR, I've pinged Jacob Coffee off-list about this as it seems he should be able to help with the GL org now and try to unblock this process. - Sviatoslav
participants (13)
-
Bernat Gabor -
Ee Durbin -
Ian Stapleton Cordasco -
Jannis Leidel -
Jason R. Coombs -
Jeremy Bowman -
Matthias Bussonnier -
Mike -
Paul Moore -
Richard Si -
Sviatoslav Sydorenko -
Thomas Kluyver -
William Woodruff